Windows Analysis Report
100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe

Overview

General Information

Sample name: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
renamed because original name is a hash value
Original sample name: 100% .exe
Analysis ID: 1427732
MD5: 46671679e2bfeb94dad1e118d4909104
SHA1: 4bf9768c9ce786a4718e1e018d0d75a0c297500e
SHA256: 795fcc7c642b6d91ddf995889ff16ce329d3b96540ee479ba37cd8323cc69c46
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Virustotal: Detection: 43% Perma Link
Multi AV Scanner detection for submitted file
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe ReversingLabs: Detection: 54%
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Virustotal: Detection: 43% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 4x nop then jmp 06429DD1h 8_2_0642A00C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49730 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49730 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49730 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49730 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49730 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49730 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49731 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49731 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49731 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49731 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49731 -> 66.96.131.81:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49731 -> 66.96.131.81:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 66.96.131.81:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 66.96.131.81 66.96.131.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BIZLAND-SDUS BIZLAND-SDUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 66.96.131.81:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mail.geasa.hn
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000007.00000002.2918628203.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, yPsuOErYR.exe, 0000000C.00000002.2918409019.0000000002B56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.geasa.hn
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1691038877.0000000002971000.00000004.00000800.00020000.00000000.sdmp, yPsuOErYR.exe, 00000008.00000002.1727808828.0000000003021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000007.00000002.2915214038.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dy
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1691572319.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, yPsuOErYR.exe, 00000008.00000002.1729258906.0000000004262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, K6raBsUk6.cs .Net Code: dzZ

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.yPsuOErYR.exe.42622c8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.yPsuOErYR.exe.429cce8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.yPsuOErYR.exe.429cce8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.yPsuOErYR.exe.42622c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, ArffAttribute.cs Large array initialization: : array initializer size 619146
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.299a3b4.0.raw.unpack, .cs Large array initialization: : array initializer size 13798
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.5320000.5.raw.unpack, .cs Large array initialization: : array initializer size 13798
Detected potential crypto function
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_00BFE158 0_2_00BFE158
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_05067B3C 0_2_05067B3C
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_05065124 0_2_05065124
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_05069050 0_2_05069050
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_05067088 0_2_05067088
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_05067098 0_2_05067098
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_05067B30 0_2_05067B30
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_014696D8 7_2_014696D8
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_01469B28 7_2_01469B28
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_01464A98 7_2_01464A98
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_0146CDA8 7_2_0146CDA8
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_01463E80 7_2_01463E80
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_014641C8 7_2_014641C8
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B56E8 7_2_062B56E8
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B2EF8 7_2_062B2EF8
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B3F60 7_2_062B3F60
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062BBD20 7_2_062BBD20
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B9AF0 7_2_062B9AF0
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B8B93 7_2_062B8B93
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B0040 7_2_062B0040
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062BA8C0 7_2_062BA8C0
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B3647 7_2_062B3647
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062BA380 7_2_062BA380
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 7_2_062B5008 7_2_062B5008
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_02E3E158 8_2_02E3E158
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_0642BC50 8_2_0642BC50
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_06424718 8_2_06424718
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_06426258 8_2_06426258
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_064242C8 8_2_064242C8
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_064242E0 8_2_064242E0
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_06425E20 8_2_06425E20
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_06426B1F 8_2_06426B1F
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_06426B30 8_2_06426B30
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_010C9B28 12_2_010C9B28
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_010C4A98 12_2_010C4A98
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_010CCDA8 12_2_010CCDA8
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_010C3E80 12_2_010C3E80
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_010C41C8 12_2_010C41C8
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A2EF8 12_2_061A2EF8
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A56E8 12_2_061A56E8
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A3F60 12_2_061A3F60
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061ABD20 12_2_061ABD20
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A9AF0 12_2_061A9AF0
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A8B92 12_2_061A8B92
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A0040 12_2_061A0040
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A3647 12_2_061A3647
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 12_2_061A5008 12_2_061A5008
Sample file is different than original file name gathered from version info
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1691038877.00000000029C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed4ce00f2-3121-4f47-9a0b-aa29b42ea4b3.exe4 vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1695215783.0000000005320000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1696595029.00000000084DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1696595029.00000000084DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowe; vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1691572319.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed4ce00f2-3121-4f47-9a0b-aa29b42ea4b3.exe4 vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1691572319.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1695828665.0000000005C60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1691038877.0000000002971000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000000.00000002.1689821517.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000007.00000002.2915909486.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Binary or memory string: OriginalFilenameEqpt.exe4 vs 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe
Uses 32bit PE files
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.yPsuOErYR.exe.42622c8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.yPsuOErYR.exe.429cce8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.yPsuOErYR.exe.429cce8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.yPsuOErYR.exe.42622c8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yPsuOErYR.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, c2bZQnG.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, c2bZQnG.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, Q1L0K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, Q1L0K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, rOWjgoovLa2t5nfnLU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, SIo0RMlAk7xImKHJVb.cs Security API names: _0020.SetAccessControl
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, SIo0RMlAk7xImKHJVb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, SIo0RMlAk7xImKHJVb.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File created: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Mutant created: \Sessions\1\BaseNamedObjects\KxhQWoCD
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File created: C:\Users\user\AppData\Local\Temp\tmp6D8B.tmp Jump to behavior
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe ReversingLabs: Detection: 54%
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Virustotal: Detection: 43%
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File read: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe"
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yPsuOErYR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yPsuOErYR" /XML "C:\Users\user\AppData\Local\Temp\tmp6D8B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\yPsuOErYR.exe C:\Users\user\AppData\Roaming\yPsuOErYR.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yPsuOErYR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CBD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process created: C:\Users\user\AppData\Roaming\yPsuOErYR.exe "C:\Users\user\AppData\Roaming\yPsuOErYR.exe"
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yPsuOErYR.exe" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yPsuOErYR" /XML "C:\Users\user\AppData\Local\Temp\tmp6D8B.tmp" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yPsuOErYR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CBD.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process created: C:\Users\user\AppData\Roaming\yPsuOErYR.exe "C:\Users\user\AppData\Roaming\yPsuOErYR.exe" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.299a3b4.0.raw.unpack, LoginForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.5320000.5.raw.unpack, LoginForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, SIo0RMlAk7xImKHJVb.cs .Net Code: QUr3KHS2dZ System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Code function: 0_2_00BF7EEE push eax; ret 0_2_00BF7EEF
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Code function: 8_2_02E37EEE push eax; ret 8_2_02E37EEF
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Static PE information: section name: .text entropy: 7.927920988767673
Source: yPsuOErYR.exe.0.dr Static PE information: section name: .text entropy: 7.927920988767673
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, qXCZ2LtT7tbgLZcac8.cs High entropy of concatenated method names: 'tq0KPgrO1', 'UT8yOWgSG', 'ejlP4QsX1', 'zHbgcoSko', 'ds8EkH54y', 'DDG1dENAi', 'J9fxKbh2yG2iT3Z4MW', 'ccuqiTN58h0cZSWyS3', 'NOok01nxm', 'Whs4VEYvx'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, n5GPAEw3wZnwjTcDag.cs High entropy of concatenated method names: 'eG6UTPXXk1', 'PsnUQyUfkt', 'MHYUKaI7fF', 'Om9Uy3OalV', 'ARNU2ux2MT', 'G7SUPID3Vt', 'eT6UgH3Uno', 'T5tUoAsUl1', 'JoKUEYii1M', 'l4AU1uUrXR'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, TF8nOlqvOb3pLCIB1t.cs High entropy of concatenated method names: 'ToString', 'xh8efwPLPq', 'OuUexuEAtR', 'MTMeHskT0o', 'GJdeLNES9R', 'FT9eMwwMm7', 'IupeFfkg4R', 'vHOenbV1j5', 'npTeDA322a', 'ClBewn8KOn'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, f79g5KiWNpaVPOZyYiy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EOH4VhjSwr', 'odB4jgbisi', 'BgJ4qPjf1U', 'HTg4hNeJ09', 'LEW4pfYFHv', 'IyJ46DXD6t', 't9g47x2DyJ'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, HyS0lo1ynD3CR096Dy.cs High entropy of concatenated method names: 'fNM02POfiW', 'oW70g2QmSw', 'H0hIH4UpcX', 't2yILCE8Lj', 'KXVIM5FPON', 'zePIFey9ep', 'E49InWks5R', 'f3bIDEfxFB', 'NxZIwJjlcg', 'etyIs2nKwS'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, rOWjgoovLa2t5nfnLU.cs High entropy of concatenated method names: 'xtBbV4jPOr', 'v4Fbj5OvIJ', 'WXTbqTrBwF', 'gkMbhBhhax', 'lEkbp98jqe', 'crYb6EeKOd', 'e7Xb7Ma6sg', 'shHbXjRjA8', 'TuMb5guhap', 'PW1bJWM1mu'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, IPSyI556b0v7YvrMY7.cs High entropy of concatenated method names: 'PxHkSUZKY6', 'pIUkxUIJLq', 'kRckHjJaR5', 'TYnkLqBrMH', 'PKikVnc7kB', 'wWOkM0BX1w', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, IuGrOK6T5TNcI2dfw2.cs High entropy of concatenated method names: 'gbU9XrhYI4', 'nSJ9JhiomW', 'gv8kdqod4V', 'VPnkiZdcux', 'HJP9fFbgvB', 'ILw9CdmpTX', 'pxI9R1MQs2', 'pk69VOSc8U', 'gVy9jQIiTJ', 'nAn9qcQ4jL'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, SIo0RMlAk7xImKHJVb.cs High entropy of concatenated method names: 'lDUWAKxy4l', 'r51WvntqEq', 'wsBWbqvPkU', 'nIPWI0YtsF', 'S1nW0mDuAC', 'STVWrjIi5r', 'MbjWUnfhO2', 'pduWl11w0v', 'FvvWGxDCYQ', 'oDiWNYibIV'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, usMF9xR1IErK5l28Ib.cs High entropy of concatenated method names: 'VLDYoh1tO9', 'hSsYEU3fMx', 'JCoYSQwJlT', 'iB0Yxwo5rb', 'LPbYLy9ixt', 'MYsYMmRl4M', 'kcOYnJqrSJ', 'RSFYDR9dcR', 'WVpYsyrJ9G', 'T9lYfNunC6'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, xpSJPsEhZGY9JOcFLg.cs High entropy of concatenated method names: 'bejIyY9m5V', 'nneIP9JOZ0', 'ShZIoTOpDP', 'EsoIEj58Nn', 'kTOImFSK3p', 'as5Ienx2hw', 'Op5I94O69y', 'd9wIk8Ap2b', 'JhYIBveAZA', 'pejI4RyTxV'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, faANQQ3deiB0PQBsf7.cs High entropy of concatenated method names: 'YbkiUOWjgo', 'fLail2t5nf', 'NhZiNGY9JO', 'wFLi8gxyS0', 'i96imDyuBx', 'WFZieqj5CJ', 'xm2BXVcU9KZ73y3dDy', 'T1TxKU3Y9STwjc1uH4', 'p7L4fWkGIcdBO942j1', 'vgTiiIONQs'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, tVYHTgb76Bfk4PhCX9.cs High entropy of concatenated method names: 'Dispose', 'K0Qi5MFk6t', 'a6QtxTNQWY', 'dCOaaiwogO', 'okXiJeZChr', 'xhyizLR9vS', 'ProcessDialogKey', 'aHLtdPSyI5', 'Vb0tiv7Yvr', 'JY7tttQgjD'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, UvgSPjVqY43NKsvmLD.cs High entropy of concatenated method names: 'UBLms2tdmK', 'qpEmCZTrys', 'KPvmVu0qCK', 'By6mjBiMyZ', 'Lc1mxasjaq', 'lIUmHH7P3w', 'g9jmLRG29p', 'X6omMWHfy5', 'HxAmFi2q2i', 'WyCmnH7xko'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, cQgjD4Je7bPR6gdgM5.cs High entropy of concatenated method names: 'af6BivaDUX', 'wJxBWPPgNv', 's8kB3CPZJd', 'g4iBvphPZX', 'zy9Bbpfx08', 'BjjB0KHKtx', 'MgVBrFafmU', 'Hwgk7I3UUh', 'GDKkXfauRA', 'buTk5aqXZs'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, GYLhK6hChZEQv74sxD.cs High entropy of concatenated method names: 'aL19NnTp2M', 'Kua98Q4dDv', 'ToString', 'OC29vH1Rj2', 'MZZ9bx2AgC', 'VrN9IUew8A', 'UX890I913p', 'bvm9rX9ZgG', 'YBi9UHrJdQ', 'VPu9lyR9xI'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, rXeZChXrThyLR9vSdH.cs High entropy of concatenated method names: 'OJVkvmphdV', 'ERtkbex50e', 'JyBkIm11Jd', 'nfmk0WEMOk', 'YmmkrABOmU', 'Q0GkUB0YjC', 'KPgklStUQA', 'T9okGgVpdS', 'xZhkNgLeV8', 'mZHk859vIi'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, JXtKUonu31etRLOHqv.cs High entropy of concatenated method names: 'QqoUvDSnko', 'QEWUIPIqs2', 'e3vUraBIpP', 'jg1rJvVnqq', 'CIQrzga9io', 'B4qUdxCRaw', 'x9DUi635n7', 'rSuUtELoeE', 'CSoUWh9EMV', 'TZkU3ROiD0'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, PxlW3titZLtuPVuEBCU.cs High entropy of concatenated method names: 'kuh4TbMyMd', 'cwg4Q98syd', 'jG74K9Hldo', 'U8HLIBaznIStNm3926q', 'GXG01vsRjivQjNRJbHg', 'c7BIkpsWi5U1lRYVOr5', 'RLPtB8sCJIOX3N96HZk'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, yf12vMLxsXnSbq8lNL.cs High entropy of concatenated method names: 'W2irc1i13b', 'DAfrT0Dd99', 'x6FrKD8A6e', 'rUsryLbK5h', 'NnlrPSSc0q', 'niUrguuTBn', 'pA8rEfHlGe', 'dy2r1vRqes', 'Xl0FEdCuOHUA45nOKxy', 'j9MYULC17VGMo7hiBFm'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, vBxXFZSqj5CJ1bOYQp.cs High entropy of concatenated method names: 'zKorA9aGEa', 'plgrbirZVr', 'PbYr08BxDd', 'htlrUl2Eg5', 'j6QrlKbTVl', 'otj0phIHIJ', 'Gl106tUxqE', 'msE074eW7b', 'dTH0Xfnawh', 'o2Q05Ti9BP'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, d1amM3z2wStAkp2SKK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EFTBYFt6Px', 'gjNBmd81hl', 'OV5BeO9iAU', 'AWAB9CZfQA', 'p4GBkIiKKM', 'QYbBBnL3AH', 'IV0B4Y1r1k'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, Sfbq5iidoBQe3G70rKY.cs High entropy of concatenated method names: 'e8BBTcvNd3', 'MvqBQtqv6R', 'kkWBKBCkS4', 'TpKByI2Y8l', 'B6yB2DI6Bw', 'qv3BP2kUne', 'LUfBgWHA3r', 'FTSBoPpZbU', 'fQ7BEEot2L', 'SswB1WfZiM'
Source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3cd98c0.2.raw.unpack, AyrUgExQb1IwVvof5j.cs High entropy of concatenated method names: 'F4IYLgCrUdMKI0uJflw', 'N0S8SJClHONyiKRQwYQ', 'Ip6VdbCZtpuLxwLSvmW', 'nALrkF49QE', 'SmerBWPP7L', 'QOdr4DS539', 'lvRij3CAl9iugmMgInh', 'qFVbvmCbvCwnIJoXYam'
Drops PE files
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File created: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yPsuOErYR" /XML "C:\Users\user\AppData\Local\Temp\tmp6D8B.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yPsuOErYR.exe PID: 7716, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 2970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 4970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 5CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 6CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 6F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 7F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 1290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 2DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: 1290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 3020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 5020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 6430000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 7430000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 7670000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 8670000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 10C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 2B00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory allocated: 4B00000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9024 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9012 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 507 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Window / User API: threadDelayed 2170 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Window / User API: threadDelayed 2264 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Window / User API: threadDelayed 1420
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Window / User API: threadDelayed 2364
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7300 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7792 Thread sleep count: 2170 > 30 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99751s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99634s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7792 Thread sleep count: 2264 > 30 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99407s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99157s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -99035s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98907s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98407s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98157s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -98046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -97909s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -97782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -97657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -97532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -97422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe TID: 7784 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 7780 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8080 Thread sleep count: 1420 > 30
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8080 Thread sleep count: 2364 > 30
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99195s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -99078s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98969s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98860s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe TID: 8072 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99751 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99634 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99516 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99407 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99282 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99157 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 99035 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98907 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98782 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98657 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98532 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98407 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98282 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98157 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 98046 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 97909 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 97782 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 97657 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 97532 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 97422 Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99195
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 99078
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98969
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98860
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98735
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Thread delayed: delay time: 922337203685477
Source: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe, 00000007.00000002.2916547740.000000000106F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: yPsuOErYR.exe, 0000000C.00000002.2916088869.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: yPsuOErYR.exe, 00000008.00000002.1733473690.0000000009024000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\RC
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe"
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yPsuOErYR.exe"
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yPsuOErYR.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Memory written: C:\Users\user\AppData\Roaming\yPsuOErYR.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yPsuOErYR.exe" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yPsuOErYR" /XML "C:\Users\user\AppData\Local\Temp\tmp6D8B.tmp" Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Process created: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe "C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yPsuOErYR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CBD.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Process created: C:\Users\user\AppData\Roaming\yPsuOErYR.exe "C:\Users\user\AppData\Roaming\yPsuOErYR.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Users\user\AppData\Roaming\yPsuOErYR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Users\user\AppData\Roaming\yPsuOErYR.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.42622c8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yPsuOErYR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.429cce8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.429cce8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.42622c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2918409019.0000000002B56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2918409019.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2918628203.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2918628203.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2918628203.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1729258906.0000000004262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2918409019.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691572319.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yPsuOErYR.exe PID: 7716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yPsuOErYR.exe PID: 7988, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\yPsuOErYR.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.42622c8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.429cce8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.429cce8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.42622c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2918628203.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1729258906.0000000004262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2918409019.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691572319.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yPsuOErYR.exe PID: 7716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yPsuOErYR.exe PID: 7988, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.42622c8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yPsuOErYR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.429cce8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.429cce8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yPsuOErYR.exe.42622c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bebaf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe.3bb10d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2918409019.0000000002B56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2918409019.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2918628203.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2918628203.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2918628203.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1729258906.0000000004262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2918409019.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691572319.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yPsuOErYR.exe PID: 7716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yPsuOErYR.exe PID: 7988, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427732 Sample: 100% #U4e8b#U524d#U306e#U8f... Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 42 mail.geasa.hn 2->42 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 12 other signatures 2->52 8 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe 7 2->8         started        12 yPsuOErYR.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\yPsuOErYR.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp6D8B.tmp, XML 8->40 dropped 54 Adds a directory exclusion to Windows Defender 8->54 14 100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        56 Multi AV Scanner detection for dropped file 12->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->58 60 Machine Learning detection for dropped file 12->60 62 Injects a PE file into a foreign processes 12->62 24 yPsuOErYR.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 44 mail.geasa.hn 66.96.131.81, 49730, 49731, 587 BIZLAND-SDUS United States 14->44 64 Loading BitLocker PowerShell Module 18->64 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->66 68 Tries to steal Mail credentials (via file / registry access) 24->68 70 Tries to harvest and steal browser information (history, passwords, etc) 24->70 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.96.131.81
 mail.geasa.hn United States
29873 BIZLAND-SDUS true

Contacted Domains

Name IP Active
mail.geasa.hn 66.96.131.81 true