Windows Analysis Report
Pnihosiyvr.exe

Overview

General Information

Sample name: Pnihosiyvr.exe
Analysis ID: 1424362
MD5: 99c80808c736d6fd95ea79e6bfe081b1
SHA1: d275a3facf1c4a420ef8b9a66a400f3a4643580d
SHA256: aa511f2aacc4e1166ae02e6fa9feb4f9f5f76583a040e9681781dbb79fe582c4
Infos:

Detection

PureLog Stealer, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MSILDownloaderGeneric
Yara detected PureLog Stealer
Yara detected Snake Keylogger
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mensure.ceylan@guneyoto.com.tr", "Password": "Batman7221", "Host": "mail.guneyoto.com.tr", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: https://scratchdreams.tk Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Virustotal: Detection: 55% Perma Link
Multi AV Scanner detection for submitted file
Source: Pnihosiyvr.exe ReversingLabs: Detection: 39%
Source: Pnihosiyvr.exe Virustotal: Detection: 55% Perma Link
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49732 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49745 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: Pnihosiyvr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\MSBuild.pdb% source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Drawing.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: protobuf-net.pdb source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb" source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: 0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbE source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indoC:\Windows\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: pC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2332223739.000001A345430000.00000004.08000000.00040000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298AE8000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A950A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2332223739.000001A345430000.00000004.08000000.00040000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298AE8000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A950A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Configuration.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdbll source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Windows.Forms.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: symbols\exe\MSBuild.pdb.pdb` source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb! source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Core.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr

Networking
barindex
Yara detected MSILDownloaderGeneric
Source: Yara match File source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2326053740.000001A32CC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2853021181.0000020A80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2769148817.000001D2987F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=6628a743&is=66163243&hm=e36bea9e5aea3063f473ba3c29865ff160adc592430b1e4958d27899b61679dc& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=6628a743&is=66163243&hm=e36bea9e5aea3063f473ba3c29865ff160adc592430b1e4958d27899b61679dc& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=6628a743&is=66163243&hm=e36bea9e5aea3063f473ba3c29865ff160adc592430b1e4958d27899b61679dc& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49732 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49745 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=6628a743&is=66163243&hm=e36bea9e5aea3063f473ba3c29865ff160adc592430b1e4958d27899b61679dc& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=6628a743&is=66163243&hm=e36bea9e5aea3063f473ba3c29865ff160adc592430b1e4958d27899b61679dc& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=6628a743&is=66163243&hm=e36bea9e5aea3063f473ba3c29865ff160adc592430b1e4958d27899b61679dc& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/156.146.36.197 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: MSBuild.exe, 00000003.00000002.2519177655.000002592BFB3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357B95000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357C03000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BF0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BA8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BBB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357ADC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357B82000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.000001618010A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161801B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161801C4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161801D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: MSBuild.exe, 0000000D.00000002.3229739212.00000161801D7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161800FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 00000003.00000002.2519177655.000002592BEA1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.00000183579D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.0000016180001000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3235921937.00000161FBD46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/A
Source: MSBuild.exe, 0000000D.00000002.3235921937.00000161FBD46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/P6
Source: Pnihosiyvr.exe, 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298BAB000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: MSBuild.exe, 0000000C.00000002.3069095152.0000018370213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoftS
Source: MSBuild.exe, 0000000C.00000002.3064626577.0000018357B95000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357AFC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357C03000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BF0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BA8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BBB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357B82000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161801B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161801C4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.000001618012D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC01000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2519177655.000002592BEA1000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D2987F1000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80001000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.00000183579D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.0000016180001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC01000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D2987F1000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC01000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D2987F1000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=662
Source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: MSBuild.exe, 0000000C.00000002.3064626577.0000018357B2A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357B95000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357C03000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BF0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BA8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357BBB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357ADC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357B82000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.000001618010A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161801B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.00000161801C4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.0000016180158000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Pnihosiyvr.exe, 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298BAB000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.0000018357ADC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.000001618010A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MSBuild.exe, 0000000D.00000002.3229739212.0000016180158000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/156.146.36.197
Source: MSBuild.exe, 0000000C.00000002.3064626577.0000018357ADC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.000001618010A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/156.146.36.197p
Source: Pnihosiyvr.exe, 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2519177655.000002592BEA1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3064626577.00000183579D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3229739212.0000016180001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk
Source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CFB1000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298BD0000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49730 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.2769148817.000001D298BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 2128, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 2128, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF848F42E70 0_2_00007FF848F42E70
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF848F413A8 0_2_00007FF848F413A8
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF848F475D3 0_2_00007FF848F475D3
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 8_2_00007FF848F213A8 8_2_00007FF848F213A8
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 8_2_00007FF848F22E70 8_2_00007FF848F22E70
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 8_2_00007FF848F275D3 8_2_00007FF848F275D3
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 11_2_00007FF848F113A8 11_2_00007FF848F113A8
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 11_2_00007FF848F12E70 11_2_00007FF848F12E70
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 11_2_00007FF848F175D3 11_2_00007FF848F175D3
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2128 -s 1412
PE file does not import any functions
Source: Pnihosiyvr.exe Static PE information: No import functions for PE file found
Source: sssssssssssssssss.exe.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Pnihosiyvr.exe, 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33CFF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEqknqzt.dll" vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2332223739.000001A345430000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D6EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEqknqzt.dll" vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2333090134.000001A3456F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameEqknqzt.dll" vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs Pnihosiyvr.exe
Source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs Pnihosiyvr.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\choice.exe Section loaded: version.dll
Yara signature match
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.2769148817.000001D298BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MSBuild.exe PID: 2128, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 2128, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Pnihosiyvr.exe, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: sssssssssssssssss.exe.0.dr, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: Pnihosiyvr.exe, -.cs Base64 encoded string: 'zQERSeAlsCoHW+kt/QwLUutm3wsRWOgq8gFZeuA82xYWT/wJ7QsHUOck50MFWPEX2A0OUcsp8x1ZUvUX1xYHTPAp8hEWRL4v+ww9ceAm+QwKBsIt6iwbTeAO7BcPdeQm+hQHBuIt6icsXOgtpTEMWeAw0R5Zb+Ap+isWT+wm+UMjWeFz+R0WYtUn7REWVOompR8HSdoL6woQWOs82hcPXOwmpSsHScEp6hlZDrVwp0hZfPY7+xUAUfwb+woUWPdzzREPTekt3wsRWOgq8gEnRfUk8QoHT74q/xoHUfMlpQsPUu4t6h0RSQ=='
Source: sssssssssssssssss.exe.0.dr, -.cs Base64 encoded string: 'zQERSeAlsCoHW+kt/QwLUutm3wsRWOgq8gFZeuA82xYWT/wJ7QsHUOck50MFWPEX2A0OUcsp8x1ZUvUX1xYHTPAp8hEWRL4v+ww9ceAm+QwKBsIt6iwbTeAO7BcPdeQm+hQHBuIt6icsXOgtpTEMWeAw0R5Zb+Ap+isWT+wm+UMjWeFz+R0WYtUn7REWVOompR8HSdoL6woQWOs82hcPXOwmpSsHScEp6hlZDrVwp0hZfPY7+xUAUfwb+woUWPdzzREPTekt3wsRWOgq8gEnRfUk8QoHT74q/xoHUfMlpQsPUu4t6h0RSQ=='
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdb
Source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdbll
Source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdb
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/10@4/4
Source: C:\Users\user\Desktop\Pnihosiyvr.exe File created: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2128
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c7462d7f-0067-4721-b650-8c2504655a05 Jump to behavior
Source: Pnihosiyvr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Pnihosiyvr.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe File read: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Pnihosiyvr.exe ReversingLabs: Detection: 39%
Source: Pnihosiyvr.exe Virustotal: Detection: 55%
Source: C:\Users\user\Desktop\Pnihosiyvr.exe File read: C:\Users\user\Desktop\Pnihosiyvr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Pnihosiyvr.exe "C:\Users\user\Desktop\Pnihosiyvr.exe"
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2128 -s 1412
Source: unknown Process created: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe "C:\Users\user\AppData\Roaming\sssssssssssssssss.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe "C:\Users\user\AppData\Roaming\sssssssssssssssss.exe"
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Pnihosiyvr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Pnihosiyvr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\MSBuild.pdb% source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Drawing.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: protobuf-net.pdb source: Pnihosiyvr.exe, 00000000.00000002.2332061251.000001A3453E0000.00000004.08000000.00040000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9986000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9922000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb" source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: 0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbE source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indoC:\Windows\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: pC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2332223739.000001A345430000.00000004.08000000.00040000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298AE8000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A950A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2332223739.000001A345430000.00000004.08000000.00040000.00000000.sdmp, Pnihosiyvr.exe, 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298AE8000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2774836682.000001D2A950A000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Configuration.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdbll source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Windows.Forms.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: symbols\exe\MSBuild.pdb.pdb` source: MSBuild.exe, 00000003.00000002.2517354331.0000009185DF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb! source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Core.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\amd64\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2519004275.000002592BD20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER2BA4.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2BA4.tmp.dmp.6.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Pnihosiyvr.exe, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: Pnihosiyvr.exe, Program.cs .Net Code: Main System.AppDomain.Load(byte[])
Source: sssssssssssssssss.exe.0.dr, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: sssssssssssssssss.exe.0.dr, Program.cs .Net Code: Main System.AppDomain.Load(byte[])
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d298b4c3c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d298b4c3c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a9798318.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a98b03c0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a9810388.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a32cb00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a97c0350.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a97c0350.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a9798318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2769148817.000001D298B45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2774836682.000001D2A9703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2769148817.000001D298AE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2774836682.000001D2A98B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2325981322.000001A32CB00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF848F4D022 push eax; iretd 0_2_00007FF848F4D023
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF848F4D032 pushad ; iretd 0_2_00007FF848F4D033
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF848F400BD pushad ; iretd 0_2_00007FF848F400C1
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF849201D35 push eax; ret 0_2_00007FF849201D36
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF849201D2E push eax; ret 0_2_00007FF849201D2F
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Code function: 0_2_00007FF8492061BE push ebx; ret 0_2_00007FF8492061DA
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 8_2_00007FF848F2000A push ds; iretd 8_2_00007FF848F2002A
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 8_2_00007FF848F2D022 push eax; iretd 8_2_00007FF848F2D023
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 8_2_00007FF848F2D032 pushad ; iretd 8_2_00007FF848F2D033
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 8_2_00007FF848F200BD pushad ; iretd 8_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 11_2_00007FF848F1D022 push eax; iretd 11_2_00007FF848F1D023
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 11_2_00007FF848F1D032 pushad ; iretd 11_2_00007FF848F1D033
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 11_2_00007FF848F100BD pushad ; iretd 11_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Code function: 11_2_00007FF8491E91BC pushfd ; iretd 11_2_00007FF8491E91BD
Drops PE files
Source: C:\Users\user\Desktop\Pnihosiyvr.exe File created: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Jump to dropped file
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sssssssssssssssss Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sssssssssssssssss Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Pnihosiyvr.exe, 00000000.00000002.2326053740.000001A32CC78000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 00000008.00000002.2769148817.000001D298AE8000.00000004.00000800.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory allocated: 1A32B2B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory allocated: 1A344C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Memory allocated: 2592A400000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Memory allocated: 25943EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory allocated: 1D296DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory allocated: 1D2B07F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory allocated: 20AF53A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory allocated: 20AF6CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Memory allocated: 18355F20000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Memory allocated: 1836F9D0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Memory allocated: 161F99C0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Memory allocated: 161FB640000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599451
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599343
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599016
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598766
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598656
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598437
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598328
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598213
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597765
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597218
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596562
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596453
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596344
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596234
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596124
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595837
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595719
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594251
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594015
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593906
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593797
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593687
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593577
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593468
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593359
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593245
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599765
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599651
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599547
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599215
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598453
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598344
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598234
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598015
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597906
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597797
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597687
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597468
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597359
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597250
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597140
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596594
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596156
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595937
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595828
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595718
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595499
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595390
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595281
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595171
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595062
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594953
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594843
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594734
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594625
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1631
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 8217
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1396
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 8462
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Pnihosiyvr.exe TID: 6524 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe TID: 4112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe TID: 3536 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe TID: 5504 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe TID: 6300 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe TID: 5840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep count: 32 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6324 Thread sleep count: 1631 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6324 Thread sleep count: 8217 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599451s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -599016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598213s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -598094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -597000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -596124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -595837s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -595719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -595609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -594251s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -594125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -594015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593577s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593245s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6308 Thread sleep time: -593125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep count: 31 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 4304 Thread sleep count: 1396 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 4304 Thread sleep count: 8462 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599651s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599215s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -599000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -598015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -597031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -596047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595499s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595171s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -595062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -594953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -594843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -594734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 5352 Thread sleep time: -594625s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599451
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599343
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599016
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598766
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598656
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598437
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598328
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598213
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597765
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597218
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596562
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596453
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596344
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596234
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596124
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595837
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595719
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594251
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594015
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593906
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593797
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593687
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593577
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593468
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593359
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593245
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 593125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599765
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599651
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599547
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599215
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598453
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598344
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598234
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598015
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597906
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597797
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597687
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597468
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597359
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597250
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597140
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596594
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596156
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595937
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595828
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595718
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595499
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595390
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595281
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595171
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 595062
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594953
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594843
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594734
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Thread delayed: delay time: 594625
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: MSBuild.exe, 0000000D.00000002.3233871495.00000161F9996000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldel.
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 0000000C.00000002.3069095152.000001837026B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Pnihosiyvr.exe, 00000000.00000002.2325744683.000001A32B13E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2517889557.000002592A3CB000.00000004.00000020.00020000.00000000.sdmp, sssssssssssssssss.exe, 0000000B.00000002.2864449375.0000020AF52CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3062146427.0000018355E4D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: sssssssssssssssss.exe, 0000000B.00000002.2853021181.0000020A80078000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: sssssssssssssssss.exe, 00000008.00000002.2767908241.000001D296CE1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Thread register set: target process: 2128 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Thread register set: target process: 5640 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Thread register set: target process: 5408 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140002000 Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140022000 Jump to behavior
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 918582F010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140002000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140022000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 6929A52010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140002000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140022000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 32814E5010 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Queries volume information: C:\Users\user\Desktop\Pnihosiyvr.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Queries volume information: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe Queries volume information: C:\Users\user\AppData\Roaming\sssssssssssssssss.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Users\user\Desktop\Pnihosiyvr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d211fd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d23a008.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d6ea0e8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d28a040.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a3456f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a3456f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d6ea0e8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d211fd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d28a040.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d23a008.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2327536841.000001A33D6EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2333090134.000001A3456F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327536841.000001A33CFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2769148817.000001D298BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3064626577.0000018357C03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3229739212.0000016180001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3064626577.00000183579D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2519177655.000002592BEA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5408, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2769148817.000001D298BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d211fd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d23a008.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d6ea0e8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d28a040.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a3456f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a3456f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d6ea0e8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d211fd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d28a040.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d23a008.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2327536841.000001A33D6EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2333090134.000001A3456F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327536841.000001A33CFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sssssssssssssssss.exe.20a90de1538.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sssssssssssssssss.exe.20a90de1538.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d992d00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95d0d00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sssssssssssssssss.exe.1d2a95824c8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d91ac90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pnihosiyvr.exe.1a33d942cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2781011462.000001D2B1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2769148817.000001D298BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2332481252.000001A34568A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2862679952.0000020A90DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3064626577.0000018357C03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2774836682.000001D2A9582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2853021181.0000020A80380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2517166281.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2326053740.000001A32CF85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3229739212.0000016180001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3064626577.00000183579D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327536841.000001A33D91A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2519177655.000002592BEA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pnihosiyvr.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 6136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sssssssssssssssss.exe PID: 2608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5408, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1424362 Sample: Pnihosiyvr.exe Startdate: 11/04/2024 Architecture: WINDOWS Score: 100 35 checkip.dyndns.org 2->35 37 checkip.dyndns.com 2->37 39 5 other IPs or domains 2->39 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 9 Pnihosiyvr.exe 15 5 2->9         started        14 sssssssssssssssss.exe 14 3 2->14         started        16 sssssssssssssssss.exe 2 2->16         started        signatures3 process4 dnsIp5 45 cdn.discordapp.com 162.159.135.233, 443, 49704, 49721 CLOUDFLARENETUS United States 9->45 33 C:\Users\user\...\sssssssssssssssss.exe, PE32+ 9->33 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->57 59 Writes to foreign memory regions 9->59 61 Modifies the context of a thread in another process (thread injection) 9->61 18 MSBuild.exe 14 2 9->18         started        63 Multi AV Scanner detection for dropped file 14->63 65 Injects a PE file into a foreign processes 14->65 21 MSBuild.exe 14->21         started        47 162.159.134.233, 443, 49730 CLOUDFLARENETUS United States 16->47 23 MSBuild.exe 16->23         started        file6 signatures7 process8 dnsIp9 41 checkip.dyndns.com 158.101.44.242, 49717, 49731, 49735 ORACLE-BMC-31898US United States 18->41 25 WerFault.exe 20 16 18->25         started        43 reallyfreegeoip.org 172.67.177.134, 443, 49732, 49734 CLOUDFLARENETUS United States 21->43 27 cmd.exe 21->27         started        process10 process11 29 conhost.exe 27->29         started        31 choice.exe 27->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US true
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
172.67.177.134
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
162.159.134.233
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
cdn.discordapp.com 162.159.135.233 true
reallyfreegeoip.org 172.67.177.134 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ true
  • URL Reputation: safe
 unknown
https://cdn.discordapp.com/attachments/1223189307423064096/1227506231204253746/Vfjvqmgnpj.mp3?ex=6628a743&is=66163243&hm=e36bea9e5aea3063f473ba3c29865ff160adc592430b1e4958d27899b61679dc& false
    		high
    https://reallyfreegeoip.org/xml/156.146.36.197 false
    • Avira URL Cloud: safe
    		 unknown