Windows Analysis Report
P020241901.exe

Overview

General Information

Sample name: P020241901.exe
Analysis ID: 1410986
MD5: f061401dd36dc8e88017ef9f9a43e5a7
SHA1: ea4d27815a1cf0f447fab333bdd52825e32807e3
SHA256: 935319064e3a30103096a9241c2467b7d19fdbd371d078554a1a7503e1a92cdd
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: P020241901.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Avira: detection malicious, Label: HEUR/AGEN.1306659
Found malware configuration
Source: 0.2.P020241901.exe.3799000.10.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.cup.org.pk", "Username": "naseer@cup.org.pk", "Password": "Cup@123#"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: P020241901.exe ReversingLabs: Detection: 65%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: P020241901.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: P020241901.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: P020241901.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: kugJ.pdbSHA256 source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr
Source: Binary string: kugJ.pdb source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\P020241901.exe Code function: 4x nop then jmp 06ED8906h 0_2_06ED85E7
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 4x nop then jmp 06B876CEh 10_2_06B873AF

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49708 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49708 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49708 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49708 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49708 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49708 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49711 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49711 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49711 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49711 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49711 -> 203.82.48.116:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49711 -> 203.82.48.116:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 203.82.48.116:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAYATEL-PKNayatelPvtLtdPK NAYATEL-PKNayatelPvtLtdPK
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 203.82.48.116:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mail.cup.org.pk
Source: P020241901.exe, 00000009.00000002.3234380229.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000E.00000002.3233407833.0000000002B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.cup.org.pk
Source: P020241901.exe, 00000000.00000002.2001137973.0000000002581000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000A.00000002.2042466300.0000000002679000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: P020241901.exe, 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, n00.cs .Net Code: meEYaI
Source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, n00.cs .Net Code: meEYaI

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.P020241901.exe.4e90000.13.raw.unpack, coEDuL4BIACsOV2Bcb.cs Large array initialization: : array initializer size 18997
Source: 0.2.P020241901.exe.25a3510.0.raw.unpack, coEDuL4BIACsOV2Bcb.cs Large array initialization: : array initializer size 18997
Detected potential crypto function
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_0097DCB4 0_2_0097DCB4
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_04A96CC8 0_2_04A96CC8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_04A90006 0_2_04A90006
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_04A90040 0_2_04A90040
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_04A96CB9 0_2_04A96CB9
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_06ED3FD8 0_2_06ED3FD8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_06ED3768 0_2_06ED3768
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_06ED1C88 0_2_06ED1C88
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_06ED3BA0 0_2_06ED3BA0
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_06ED20C0 0_2_06ED20C0
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_06ED20B0 0_2_06ED20B0
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_02809378 9_2_02809378
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_02804A98 9_2_02804A98
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_02809B30 9_2_02809B30
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_02803E80 9_2_02803E80
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_0280CE88 9_2_0280CE88
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_028041C8 9_2_028041C8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CCBCE8 9_2_05CCBCE8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC3F48 9_2_05CC3F48
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC56D8 9_2_05CC56D8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC2EE8 9_2_05CC2EE8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC0040 9_2_05CC0040
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC8B88 9_2_05CC8B88
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC9AC8 9_2_05CC9AC8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CCDDD8 9_2_05CCDDD8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC4FF8 9_2_05CC4FF8
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CC3648 9_2_05CC3648
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_0251DCB4 10_2_0251DCB4
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_04BC6CC8 10_2_04BC6CC8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_04BC0006 10_2_04BC0006
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_04BC0040 10_2_04BC0040
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_04BC6CB9 10_2_04BC6CB9
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_06B83FD8 10_2_06B83FD8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_06B83768 10_2_06B83768
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_06B81C88 10_2_06B81C88
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_06B83BA0 10_2_06B83BA0
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_06B820B0 10_2_06B820B0
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_06B820C0 10_2_06B820C0
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_02AA9378 14_2_02AA9378
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_02AA4A98 14_2_02AA4A98
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_02AA9B30 14_2_02AA9B30
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_02AACE88 14_2_02AACE88
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_02AA3E80 14_2_02AA3E80
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_02AA41C8 14_2_02AA41C8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F4DD00 14_2_05F4DD00
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F4BCE8 14_2_05F4BCE8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F43F48 14_2_05F43F48
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F42EE8 14_2_05F42EE8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F456D8 14_2_05F456D8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F40040 14_2_05F40040
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F48B88 14_2_05F48B88
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F49AC8 14_2_05F49AC8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F44FF8 14_2_05F44FF8
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 14_2_05F43648 14_2_05F43648
Sample file is different than original file name gathered from version info
Source: P020241901.exe, 00000000.00000002.2000269983.000000000070E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs P020241901.exe
Source: P020241901.exe, 00000000.00000002.2018716291.0000000006C90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs P020241901.exe
Source: P020241901.exe, 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9bd5bdf1-67e0-44ac-acb3-9f26dbc64b5d.exe4 vs P020241901.exe
Source: P020241901.exe, 00000000.00000002.2001137973.00000000025CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9bd5bdf1-67e0-44ac-acb3-9f26dbc64b5d.exe4 vs P020241901.exe
Source: P020241901.exe, 00000000.00000002.2019464746.0000000007268000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekugJ.exe< vs P020241901.exe
Source: P020241901.exe, 00000000.00000002.2002617637.00000000038E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs P020241901.exe
Source: P020241901.exe, 00000009.00000002.3231223568.0000000000959000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs P020241901.exe
Source: P020241901.exe Binary or memory string: OriginalFilenamekugJ.exe< vs P020241901.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: msv1_0.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: ntlmshared.dll
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Section loaded: cryptdll.dll
Uses 32bit PE files
Source: P020241901.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: P020241901.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VKkzqGUhsZwwm.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, NpXw3kw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, NpXw3kw.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, fpnV0Qjz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.P020241901.exe.3799000.10.raw.unpack, fpnV0Qjz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.cs Security API names: _0020.SetAccessControl
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.cs Security API names: _0020.AddAccessRule
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, Mon41UfUXZQosr60DT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.cs Security API names: _0020.SetAccessControl
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.cs Security API names: _0020.AddAccessRule
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, Mon41UfUXZQosr60DT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/1
Source: C:\Users\user\Desktop\P020241901.exe File created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Users\user\Desktop\P020241901.exe File created: C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp Jump to behavior
Source: P020241901.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: P020241901.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\P020241901.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\P020241901.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\P020241901.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: P020241901.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\P020241901.exe File read: C:\Users\user\Desktop\P020241901.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exe
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\P020241901.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: P020241901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: P020241901.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: P020241901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: kugJ.pdbSHA256 source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr
Source: Binary string: kugJ.pdb source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: P020241901.exe, frmGetData.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: VKkzqGUhsZwwm.exe.0.dr, frmGetData.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.P020241901.exe.4e90000.13.raw.unpack, Uni.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.cs .Net Code: xHRHxx28gr System.Reflection.Assembly.Load(byte[])
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.cs .Net Code: xHRHxx28gr System.Reflection.Assembly.Load(byte[])
Source: 0.2.P020241901.exe.25a3510.0.raw.unpack, Uni.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: P020241901.exe Static PE information: 0x9A0837A8 [Wed Nov 22 01:36:40 2051 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\P020241901.exe Code function: 0_2_06EDABA6 push dword ptr [edx+ebp*2-75h]; iretd 0_2_06EDABAF
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CCBCD2 push es; retf 9_2_05CCBCE2
Source: C:\Users\user\Desktop\P020241901.exe Code function: 9_2_05CCC451 push cs; retf 9_2_05CCC452
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Code function: 10_2_06B89985 push FFFFFF8Bh; iretd 10_2_06B89987
Source: P020241901.exe Static PE information: section name: .text entropy: 7.992542733514758
Source: VKkzqGUhsZwwm.exe.0.dr Static PE information: section name: .text entropy: 7.992542733514758
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, QXEfCQbO4ejMkoi2pkL.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x6fktjWuqX', 'sVMkdSc0Qg', 'tCKkGh5fAb', 'NrGk1kv11V', 'FIIkbncMZt', 'fK1k8HeUlv', 'kg7krYiAfE'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, L6xr2KDkKl0X9RNbit.cs High entropy of concatenated method names: 'vdaWjJBIGN', 'M0HWmXNaoQ', 'kYOWZBFKFd', 'WDeWP3AY87', 'QCEWAaTxAB', 'SmqWgnEH4Q', 'LNo0iORSgJ2QLHLO4B', 'VHxEspssYrjArm4Lj1', 'GvxWWWyCpp', 'tbJW6U8ETH'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, qfrOihsrVIqemUYdKb.cs High entropy of concatenated method names: 'ToString', 'H8Og50Nunx', 's6rgKYiiYH', 'bH7gNSQ1dU', 'RUCgqOC56e', 'SrRg4Dwst5', 'rGjg049eAu', 'x9sglwBZJX', 'x6HgXiRS1k', 'zntg94e2cp'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, iGTtMKSJFrUfVV0vaA.cs High entropy of concatenated method names: 'GPpVZpaJFI', 'AvXVP4LsJd', 'ToString', 'EdFVakxFDX', 'GVuVRXL6ay', 'uTlVM4jCDR', 'J9MVvicmQg', 'sgwV74PK0m', 'svkVjpA3Jb', 'FGiVmj9nSb'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, bPNNRdxo201VexQ9ab.cs High entropy of concatenated method names: 'pKkyw4TH5K', 'BsqyKkklTS', 'huryNi9qIE', 'Q12yqyBcdE', 'gtVyt2017o', 'R6Uy4OnCTA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, cadg7Rdhg8q8Fy4m9y.cs High entropy of concatenated method names: 'GOZSUxuYfY', 'UClSBFXhZU', 'TKjSw2DAMv', 'G16SK9yXoM', 'qSpSqZ2Zq4', 'BRIS430fnL', 'jRTSl8lr6e', 'n4cSX3Ya3s', 'x0DSOF1VUn', 'zG5S5i5xt8'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, je9TcX0xAKQDM7LNZD.cs High entropy of concatenated method names: 'M6xvowGRiB', 'fB3vevlLeC', 'uUVMNRonH5', 'FDDMq6YWC9', 'uL8M4t7XH6', 'suDM08xRur', 'z8gMl4xv4L', 'gvcMXivfpa', 'm8OM9lPrjy', 'CI1MO7vaqF'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.cs High entropy of concatenated method names: 'kMr6srje9M', 'O386aNTZAq', 'kxe6RMR219', 'oEb6MMKdoK', 'ntR6vY8aTd', 'vPP67HcbJM', 'Dk16jDNrKX', 'Onq6mnFVnW', 'Aht6hnlUXT', 'sSb6ZhkjTK'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, Mon41UfUXZQosr60DT.cs High entropy of concatenated method names: 'DnmRtekQlP', 'vnrRdwBpSl', 't3BRG098iJ', 'lKMR1yvS6S', 'tGARbfmlaI', 'NT5R8tTlFI', 'SBmRrk8y9w', 'VjTRJGomwO', 'P8uRDwOV4a', 'u4HRcY2SZ9'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, tQZKKOEqWWpeP4Vpaf.cs High entropy of concatenated method names: 'bYwyaAFNfN', 'gXbyRZmhQH', 'c4UyMbflvQ', 'BVZyvZIOQe', 'HrJy7w2xll', 'ljTyjovIYh', 'fLkymufj1M', 'Neqyh6cccP', 'QCMyZaiFZC', 'hBDyP52ovJ'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, go06C9moK82tIqZfYy.cs High entropy of concatenated method names: 'zK3xN6txm', 'n1dTWSSuR', 'HAau0aoeQ', 'I6fesj9jT', 'XAqBHjxrZ', 'tPAFKG0jh', 'EZ9jFTgT7Xd7g5KoQw', 'l4wclXTS3cjFpnhayv', 'D68yEMTKl', 'I7fkTeePG'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, G3IEi4ompnZTtFNQRs.cs High entropy of concatenated method names: 'cjDVJFOxu1', 'hfNVcChc1U', 'APdyQIZUbh', 'D5FyWRHW6v', 'FnBV52OX52', 'eDqVf7TYbO', 'lvDVEVdvso', 'CGFVtI8KYU', 'xgAVdlxwVw', 'KWsVGkY5cK'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, Iy6OlWlTI2sYZDWQ9K.cs High entropy of concatenated method names: 'fSGnWspfQG', 'EE9n6cu1dJ', 'EY5nHRgaHs', 'SsNnaO9cRK', 'OPAnR2V72F', 'fkXnvbVm7F', 'Ii1n7bANUc', 'kQIyrDUyRg', 'Q3fyJANjh5', 'JMdyDXW5TB'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, FXeZkIvxW4V3GyxGyW.cs High entropy of concatenated method names: 'qCd7sFdZME', 'tbu7RsX5NB', 'wlD7vupM3G', 'F927jinM7M', 'OAg7m39fn3', 'aJOvbJPr5g', 'La2v8JCHHW', 'HcnvrTuRmv', 'ePQvJJLLg1', 'ClavD2HuJZ'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, wgEvRkgLjLLSsfE0cN.cs High entropy of concatenated method names: 'P4kMTkW5f5', 'p56MuLVlwX', 'mJGMUxbKTN', 'w3ZMBlRHgm', 'cj8MAErJgr', 's82MgGSyVM', 'kq9MVnFGpb', 'dRBMyMpiOq', 'zuxMnThgpY', 'Q1oMkQsHxb'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, LS7BVe6fJxxEsYdQMj.cs High entropy of concatenated method names: 'Dispose', 'aByWDSHOS6', 'xaoCKK0MkA', 'Gxw22VDmM1', 'WuhWcsbufo', 'hCOWzXDynr', 'ProcessDialogKey', 'XOjCQu3nFD', 'rQsCWHnAl6', 'JSeCCMGxdv'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, VWxAWNb5I4Q1gTqGVMC.cs High entropy of concatenated method names: 'VvonIyDaPH', 'ibenYfsUhR', 'gu6nxA54IR', 'yCInTtBdfM', 'fZunokEmxZ', 'UZ4nuVNIGS', 'HUCnecoW8Q', 'bvgnUSe9fD', 'S5LnBv8fKI', 'hF6nFpqSyH'
Source: 0.2.P020241901.exe.3965270.12.raw.unpack, uW1uhjX5Oiqh7yN2Hx.cs High entropy of concatenated method names: 'gEPjICbLS7', 'eRVjYMGovT', 'OyVjxynUGH', 'ge0jT6vcoU', 'HKajomD2tt', 'a5NjusyGt5', 'aS3jeSkJnw', 'TY6jUo8IWQ', 'FNwjBAN1s0', 'eUvjFjVU1A'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, QXEfCQbO4ejMkoi2pkL.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x6fktjWuqX', 'sVMkdSc0Qg', 'tCKkGh5fAb', 'NrGk1kv11V', 'FIIkbncMZt', 'fK1k8HeUlv', 'kg7krYiAfE'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, L6xr2KDkKl0X9RNbit.cs High entropy of concatenated method names: 'vdaWjJBIGN', 'M0HWmXNaoQ', 'kYOWZBFKFd', 'WDeWP3AY87', 'QCEWAaTxAB', 'SmqWgnEH4Q', 'LNo0iORSgJ2QLHLO4B', 'VHxEspssYrjArm4Lj1', 'GvxWWWyCpp', 'tbJW6U8ETH'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, qfrOihsrVIqemUYdKb.cs High entropy of concatenated method names: 'ToString', 'H8Og50Nunx', 's6rgKYiiYH', 'bH7gNSQ1dU', 'RUCgqOC56e', 'SrRg4Dwst5', 'rGjg049eAu', 'x9sglwBZJX', 'x6HgXiRS1k', 'zntg94e2cp'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, iGTtMKSJFrUfVV0vaA.cs High entropy of concatenated method names: 'GPpVZpaJFI', 'AvXVP4LsJd', 'ToString', 'EdFVakxFDX', 'GVuVRXL6ay', 'uTlVM4jCDR', 'J9MVvicmQg', 'sgwV74PK0m', 'svkVjpA3Jb', 'FGiVmj9nSb'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, bPNNRdxo201VexQ9ab.cs High entropy of concatenated method names: 'pKkyw4TH5K', 'BsqyKkklTS', 'huryNi9qIE', 'Q12yqyBcdE', 'gtVyt2017o', 'R6Uy4OnCTA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, cadg7Rdhg8q8Fy4m9y.cs High entropy of concatenated method names: 'GOZSUxuYfY', 'UClSBFXhZU', 'TKjSw2DAMv', 'G16SK9yXoM', 'qSpSqZ2Zq4', 'BRIS430fnL', 'jRTSl8lr6e', 'n4cSX3Ya3s', 'x0DSOF1VUn', 'zG5S5i5xt8'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, je9TcX0xAKQDM7LNZD.cs High entropy of concatenated method names: 'M6xvowGRiB', 'fB3vevlLeC', 'uUVMNRonH5', 'FDDMq6YWC9', 'uL8M4t7XH6', 'suDM08xRur', 'z8gMl4xv4L', 'gvcMXivfpa', 'm8OM9lPrjy', 'CI1MO7vaqF'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.cs High entropy of concatenated method names: 'kMr6srje9M', 'O386aNTZAq', 'kxe6RMR219', 'oEb6MMKdoK', 'ntR6vY8aTd', 'vPP67HcbJM', 'Dk16jDNrKX', 'Onq6mnFVnW', 'Aht6hnlUXT', 'sSb6ZhkjTK'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, Mon41UfUXZQosr60DT.cs High entropy of concatenated method names: 'DnmRtekQlP', 'vnrRdwBpSl', 't3BRG098iJ', 'lKMR1yvS6S', 'tGARbfmlaI', 'NT5R8tTlFI', 'SBmRrk8y9w', 'VjTRJGomwO', 'P8uRDwOV4a', 'u4HRcY2SZ9'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, tQZKKOEqWWpeP4Vpaf.cs High entropy of concatenated method names: 'bYwyaAFNfN', 'gXbyRZmhQH', 'c4UyMbflvQ', 'BVZyvZIOQe', 'HrJy7w2xll', 'ljTyjovIYh', 'fLkymufj1M', 'Neqyh6cccP', 'QCMyZaiFZC', 'hBDyP52ovJ'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, go06C9moK82tIqZfYy.cs High entropy of concatenated method names: 'zK3xN6txm', 'n1dTWSSuR', 'HAau0aoeQ', 'I6fesj9jT', 'XAqBHjxrZ', 'tPAFKG0jh', 'EZ9jFTgT7Xd7g5KoQw', 'l4wclXTS3cjFpnhayv', 'D68yEMTKl', 'I7fkTeePG'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, G3IEi4ompnZTtFNQRs.cs High entropy of concatenated method names: 'cjDVJFOxu1', 'hfNVcChc1U', 'APdyQIZUbh', 'D5FyWRHW6v', 'FnBV52OX52', 'eDqVf7TYbO', 'lvDVEVdvso', 'CGFVtI8KYU', 'xgAVdlxwVw', 'KWsVGkY5cK'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, Iy6OlWlTI2sYZDWQ9K.cs High entropy of concatenated method names: 'fSGnWspfQG', 'EE9n6cu1dJ', 'EY5nHRgaHs', 'SsNnaO9cRK', 'OPAnR2V72F', 'fkXnvbVm7F', 'Ii1n7bANUc', 'kQIyrDUyRg', 'Q3fyJANjh5', 'JMdyDXW5TB'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, FXeZkIvxW4V3GyxGyW.cs High entropy of concatenated method names: 'qCd7sFdZME', 'tbu7RsX5NB', 'wlD7vupM3G', 'F927jinM7M', 'OAg7m39fn3', 'aJOvbJPr5g', 'La2v8JCHHW', 'HcnvrTuRmv', 'ePQvJJLLg1', 'ClavD2HuJZ'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, wgEvRkgLjLLSsfE0cN.cs High entropy of concatenated method names: 'P4kMTkW5f5', 'p56MuLVlwX', 'mJGMUxbKTN', 'w3ZMBlRHgm', 'cj8MAErJgr', 's82MgGSyVM', 'kq9MVnFGpb', 'dRBMyMpiOq', 'zuxMnThgpY', 'Q1oMkQsHxb'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, LS7BVe6fJxxEsYdQMj.cs High entropy of concatenated method names: 'Dispose', 'aByWDSHOS6', 'xaoCKK0MkA', 'Gxw22VDmM1', 'WuhWcsbufo', 'hCOWzXDynr', 'ProcessDialogKey', 'XOjCQu3nFD', 'rQsCWHnAl6', 'JSeCCMGxdv'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, VWxAWNb5I4Q1gTqGVMC.cs High entropy of concatenated method names: 'VvonIyDaPH', 'ibenYfsUhR', 'gu6nxA54IR', 'yCInTtBdfM', 'fZunokEmxZ', 'UZ4nuVNIGS', 'HUCnecoW8Q', 'bvgnUSe9fD', 'S5LnBv8fKI', 'hF6nFpqSyH'
Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, uW1uhjX5Oiqh7yN2Hx.cs High entropy of concatenated method names: 'gEPjICbLS7', 'eRVjYMGovT', 'OyVjxynUGH', 'ge0jT6vcoU', 'HKajomD2tt', 'a5NjusyGt5', 'aS3jeSkJnw', 'TY6jUo8IWQ', 'FNwjBAN1s0', 'eUvjFjVU1A'
Drops PE files
Source: C:\Users\user\Desktop\P020241901.exe File created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7260, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\P020241901.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 2580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 2390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 7340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 6D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 8340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 9340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 2800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 2A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 2630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 2470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 6FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 69E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 6FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 2A60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 2AF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory allocated: 4AF0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2478 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2389 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Window / User API: threadDelayed 4323 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Window / User API: threadDelayed 5507 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Window / User API: threadDelayed 2000
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Window / User API: threadDelayed 7850
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\P020241901.exe TID: 6656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4580 Thread sleep count: 2478 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1992 Thread sleep count: 110 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4160 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99888s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7324 Thread sleep count: 4323 > 30 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99774s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99661s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7324 Thread sleep count: 5507 > 30 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99186s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -99077s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98965s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98501s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -97062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96169s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -96061s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95838s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95495s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95153s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -95031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -94921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -94812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -94703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -94593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -94484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -94375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe TID: 7296 Thread sleep time: -94265s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7420 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7620 Thread sleep count: 2000 > 30
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7620 Thread sleep count: 7850 > 30
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -99381s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -99250s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -99141s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -99030s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98922s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98813s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98139s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97702s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97594s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97469s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97324s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97219s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97109s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -97000s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96891s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96781s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96672s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96563s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96438s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96328s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96219s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -96094s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95984s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95875s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95766s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95656s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95547s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95438s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95313s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95203s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -94969s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -94859s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -94750s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -94641s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -94531s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -94422s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612 Thread sleep time: -94312s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\P020241901.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\P020241901.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\P020241901.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99888 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99774 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99661 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99297 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99186 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 99077 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98965 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98843 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98734 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98625 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98501 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98375 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98265 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98156 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 98047 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97937 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97828 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97718 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97609 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97500 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97390 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97281 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97171 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 97062 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96953 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96843 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96734 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96625 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96515 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96406 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96169 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 96061 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95953 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95838 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95718 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95609 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95495 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95375 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95265 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95153 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 95031 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 94921 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 94812 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 94703 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 94593 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 94484 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 94375 Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Thread delayed: delay time: 94265 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 99381
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 99250
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 99141
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 99030
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98922
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98813
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98703
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98139
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97922
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97702
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97594
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97469
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97324
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97219
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97109
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 97000
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96891
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96781
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96672
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96563
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96438
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96328
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96219
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 96094
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95984
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95875
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95766
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95656
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95547
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95438
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95313
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95203
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 94969
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 94859
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 94750
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 94641
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 94531
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 94422
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Thread delayed: delay time: 94312
Source: P020241901.exe, 00000000.00000002.2018716291.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, P020241901.exe, 00000000.00000002.2002617637.00000000038E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: go06C9moK82tIqZfYyXFyHnObvr3rETjTdJKrovpuWOrJRdZAY1NhbL6xr2KDkKl0X9RNbitViXC2bICkPN7xvjou9v8j7Vr46OJCQSUieKOLS7BVe6fJxxEsYdQMjUserControlSystem.Windows.FormsBsoJdVRmu5nnFQavYBUITypeEditorSystem.Drawing.DesignSystem.DrawingvZWtiWV13yU3vV9Kh5EnumV2nvDqc7RyF0ks5tTrJObTin3CXn6UMXNCsYzcoFxPGFG5DVnMwYGRLZOicG8haQp72CnjdtMulticastDelegateWH7aWt1NlDl4G9LLBFYYHtB798QniySMMM3jDkSAcHTR8C2aoXqeq2q751oqafFxvmHuowBuyvIvDuj2O5iArGaAZKKZtlkCWLjY5O1adiwSorcrF8N30gtjjgfmGtor1EDL2bYKO2jKJdiezsOj0QLGA0LU4RrWXoiDBn8aFBLTN9MUyKfMNhIACoJgfVWl8ZPi84JFSVG6w8tDxTTva1AXJDxZW4CBlmB1X6LC85HIoPtUAkW23ojW43PIBYdwKu7ZXXPrjHPgpkJr4plIk3p1lMaVhOaokelDeCr6UGmcdOJNjxaf2Hv8uSR1LPhVp97Xo3Hjt6Pv64bOLnHfyggiGViri5EAGY8Y8kxhMon41UfUXZQosr60DTwgEvRkgLjLLSsfE0cNje9TcX0xAKQDM7LNZDFXeZkIvxW4V3GyxGyWIbYb8sMhFtXyAAW6DLme7sX2nkHVGFMOkfDOBO4V0TYJE8HF53XACrpCXanipSlFsT8289XTMyob6RQUhhW6Vl5ku9s71gq1ZDn8bwgwkvCiyphBY1Bmn1A8FYmoH9uW1uhjX5Oiqh7yN2HxwtDEnihgHyZauUHyt3XGD6icUQC0Cnq4SE2xEventArgsve7tyRHs4WHXJfRZvpApplicationExceptioncadg7Rdhg8q8Fy4m9yqTFDAaqqKDin8RPIp2jUDTrMKoAfDNbGILbvqfrOihsrVIqemUYdKbiGTtMKSJFrUfVV0vaACL65FXeurTn9E8fCEaG3IEi4ompnZTtFNQRsvIhF1ut1HeAV7lN7QKtQZKKOEqWWpeP4VpafbPNNRdxo201VexQ9abRandomIy6OlWlTI2sYZDWQ9KDgvB8pzEaIlIvY5eQSExpandableObjectConverterSystem.ComponentModelVWxAWNb5I4Q1gTqGVMCkWnSbhbbCWtgjjeSpSOIue4QBbmdGk7MRxcCKKQXEfCQbO4ejMkoi2pkL<Module>{A5B7D210-A563-43EF-9C8F-E1ED8BE4CD90}QXB9VtbDufJ2i45vqGSkde3Y8bIspnpq32sr85xLIHnQbRku0p32M98TE<PrivateImplementationDetails>{331EA7A6-2D0B-4CE5-86FC-A51130E255B7}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18
Source: P020241901.exe, 00000000.00000002.2018716291.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, P020241901.exe, 00000000.00000002.2002617637.00000000038E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qfrOihsrVIqemUYdKb
Source: VKkzqGUhsZwwm.exe, 0000000E.00000002.3242832019.0000000006130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: P020241901.exe, 00000009.00000002.3231496428.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\P020241901.exe Memory written: C:\Users\user\Desktop\P020241901.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Memory written: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Process created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Process created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Users\user\Desktop\P020241901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Users\user\Desktop\P020241901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\P020241901.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3234380229.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3234380229.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3233407833.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3233407833.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: P020241901.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7540, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\P020241901.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\P020241901.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\P020241901.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: P020241901.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7540, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3234380229.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3234380229.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3233407833.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3233407833.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: P020241901.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7540, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410986 Sample: P020241901.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 42 mail.cup.org.pk 2->42 44 _kerberos._tcp.dc._msdcs.cup.org.pk 2->44 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 10 other signatures 2->54 8 P020241901.exe 7 2->8         started        12 VKkzqGUhsZwwm.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\VKkzqGUhsZwwm.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpF9C9.tmp, XML 8->40 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 14 P020241901.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 24 VKkzqGUhsZwwm.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 46 mail.cup.org.pk 203.82.48.116, 49708, 49711, 587 NAYATEL-PKNayatelPvtLtdPK Pakistan 14->46 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->70 72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal browser information (history, passwords, etc) 24->74 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
203.82.48.116
 mail.cup.org.pk Pakistan
23674 NAYATEL-PKNayatelPvtLtdPK true

Contacted Domains

Name IP Active
mail.cup.org.pk 203.82.48.116 true
_kerberos._tcp.dc._msdcs.cup.org.pk unknown unknown