Windows Analysis Report I-IN-6757165752-DEL983527_20240416074318.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: TAdpY.pdb source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr
Source:	Binary string: TAdpY.pdbSHA256$ source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 4x nop then jmp 0298343Bh	0_2_02982F14
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 4x nop then jmp 051D21E3h	7_2_051D1CBC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 4x nop then jmp 02582703h	14_2_025821DC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 4x nop then jmp 05382703h	20_2_053821DC

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49715 -> 50.87.253.239:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 50.87.253.239:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 50.87.253.239 50.87.253.239

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 50.87.253.239:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.clslk.com

Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000006.00000002.3263613363.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 0000000D.00000002.3264075421.0000000003197000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.3265824601.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000017.00000002.3263477131.000000000325A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.clslk.com
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2046661816.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 00000007.00000002.2085294887.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000E.00000002.2207950596.0000000002845000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000014.00000002.2263918730.0000000003378000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd)Microsoft
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 00000007.00000002.2087305207.0000000004237000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 0000000D.00000002.3257368648.0000000000436000.00000040.00000400.00020000.00000000.sdmp, boqXv.exe, 0000000E.00000002.2211535462.000000000469C000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000014.00000002.2271415533.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, umlRMRbjNqD.cs	.Net Code: fKv0R
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, umlRMRbjNqD.cs	.Net Code: fKv0R

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.5210000.4.raw.unpack, LoginForm.cs

Large array initialization: : array initializer size 33603

.NET source code contains very large strings

Source: I-IN-6757165752-DEL983527_20240416074318.exe, Form1.cs	Long String: Length: 131612
Source: lvPAYFCXxuNokO.exe.0.dr, Form1.cs	Long String: Length: 131612

Detected potential crypto function

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 0_2_0114D59C	0_2_0114D59C
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 0_2_02985258	0_2_02985258
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011CA3D8	6_2_011CA3D8
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011CD658	6_2_011CD658
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C9810	6_2_011C9810
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C4AD0	6_2_011C4AD0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C3EB8	6_2_011C3EB8
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C4200	6_2_011C4200
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_0602B5A0	6_2_0602B5A0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06029F7C	6_2_06029F7C
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06030E60	6_2_06030E60
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06039F80	6_2_06039F80
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06035B80	6_2_06035B80
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06033398	6_2_06033398
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_060343F8	6_2_060343F8
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06039038	6_2_06039038
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_0603C1A0	6_2_0603C1A0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_060354A0	6_2_060354A0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06033AF0	6_2_06033AF0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0165D59C	7_2_0165D59C
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_051D40B8	7_2_051D40B8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A1C00	7_2_057A1C00
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A0040	7_2_057A0040
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A001B	7_2_057A001B
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A1BF0	7_2_057A1BF0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808D90	7_2_05808D90
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05800D00	7_2_05800D00
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580A488	7_2_0580A488
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E078	7_2_0580E078
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E390	7_2_0580E390
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580B338	7_2_0580B338
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05800240	7_2_05800240
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05805CC0	7_2_05805CC0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808CFB	7_2_05808CFB
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D400	7_2_0580D400
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580BC59	7_2_0580BC59
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580A479	7_2_0580A479
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580BFE1	7_2_0580BFE1
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809ED8	7_2_05809ED8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809EE8	7_2_05809EE8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D639	7_2_0580D639
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580C1C8	7_2_0580C1C8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580C1D8	7_2_0580C1D8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D081	7_2_0580D081
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D090	7_2_0580D090
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E068	7_2_0580E068
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E381	7_2_0580E381
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D3F0	7_2_0580D3F0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808280	7_2_05808280
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580B2B3	7_2_0580B2B3
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580F2E9	7_2_0580F2E9
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809A10	7_2_05809A10
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809A20	7_2_05809A20
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808271	7_2_05808271
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C69650	7_2_08C69650
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C63B80	7_2_08C63B80
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C6CB68	7_2_08C6CB68
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C6CFA0	7_2_08C6CFA0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C6E240	7_2_08C6E240
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C65690	7_2_08C65690
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C656A0	7_2_08C656A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C69640	7_2_08C69640
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0168A3D0	13_2_0168A3D0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0168D650	13_2_0168D650
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01689810	13_2_01689810
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01684AD0	13_2_01684AD0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01683EB8	13_2_01683EB8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01684200	13_2_01684200
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666D391	13_2_0666D391
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666A29C	13_2_0666A29C
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666B5A0	13_2_0666B5A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06669F7C	13_2_06669F7C
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06679F80	13_2_06679F80
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_066743F8	13_2_066743F8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06675B80	13_2_06675B80
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06670040	13_2_06670040
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06679038	13_2_06679038
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0667C1A0	13_2_0667C1A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0667E1A0	13_2_0667E1A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_066754A0	13_2_066754A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06673AF0	13_2_06673AF0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06673398	13_2_06673398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_00C7D59C	14_2_00C7D59C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_025845D8	14_2_025845D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78D90	14_2_05A78D90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A70D00	14_2_05A70D00
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7A488	14_2_05A7A488
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E078	14_2_05A7E078
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E390	14_2_05A7E390
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7B338	14_2_05A7B338
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A70240	14_2_05A70240
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78CFB	14_2_05A78CFB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D400	14_2_05A7D400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7A479	14_2_05A7A479
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7BFE1	14_2_05A7BFE1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79EE8	14_2_05A79EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79ED8	14_2_05A79ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D639	14_2_05A7D639
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7C1C8	14_2_05A7C1C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7C1D8	14_2_05A7C1D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D081	14_2_05A7D081
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D090	14_2_05A7D090
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E068	14_2_05A7E068
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E381	14_2_05A7E381
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D3F0	14_2_05A7D3F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7B303	14_2_05A7B303
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78280	14_2_05A78280
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79A20	14_2_05A79A20
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79A10	14_2_05A79A10
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78272	14_2_05A78272
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B89780	14_2_05B89780
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8C71F	14_2_05B8C71F
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B89770	14_2_05B89770
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8C2C5	14_2_05B8C2C5
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8E231	14_2_05B8E231
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8E240	14_2_05B8E240
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8CFA0	14_2_05B8CFA0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B83B80	14_2_05B83B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B83B70	14_2_05B83B70
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8CB68	14_2_05B8CB68
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0157D1F0	19_2_0157D1F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01574200	19_2_01574200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01574AD0	19_2_01574AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01573EB8	19_2_01573EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01579EA8	19_2_01579EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651B658	19_2_0651B658
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06519DCC	19_2_06519DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06529F80	19_2_06529F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_065243F8	19_2_065243F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06523398	19_2_06523398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06525B80	19_2_06525B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06520040	19_2_06520040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0652902A	19_2_0652902A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0652E190	19_2_0652E190
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_065254A0	19_2_065254A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06523ADB	19_2_06523ADB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0652C1A0	19_2_0652C1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_01B0D59C	20_2_01B0D59C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_05384518	20_2_05384518
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058B9B00	20_2_058B9B00
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058B0006	20_2_058B0006
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058B0040	20_2_058B0040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8D90	20_2_059A8D90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A0D00	20_2_059A0D00
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AA488	20_2_059AA488
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE078	20_2_059AE078
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE390	20_2_059AE390
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AB338	20_2_059AB338
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A0240	20_2_059A0240
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A5CC0	20_2_059A5CC0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8CFA	20_2_059A8CFA
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD400	20_2_059AD400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059ABC59	20_2_059ABC59
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AA479	20_2_059AA479
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059ABFE1	20_2_059ABFE1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9ED8	20_2_059A9ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9EE8	20_2_059A9EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD639	20_2_059AD639
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AC1D8	20_2_059AC1D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AC1C8	20_2_059AC1C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD090	20_2_059AD090
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD081	20_2_059AD081
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE068	20_2_059AE068
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE381	20_2_059AE381
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD3F0	20_2_059AD3F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8280	20_2_059A8280
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AB2B3	20_2_059AB2B3
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AF2E9	20_2_059AF2E9
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9A10	20_2_059A9A10
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9A20	20_2_059A9A20
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8271	20_2_059A8271
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0178D128	23_2_0178D128
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_017896F0	23_2_017896F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01784AD0	23_2_01784AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01783EB8	23_2_01783EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01789EA8	23_2_01789EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01784200	23_2_01784200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663D1F1	23_2_0663D1F1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663A0EC	23_2_0663A0EC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663B400	23_2_0663B400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06639DCC	23_2_06639DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06649F80	23_2_06649F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_066443F8	23_2_066443F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06645B80	23_2_06645B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06643398	23_2_06643398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06640040	23_2_06640040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06649038	23_2_06649038
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0664E1A0	23_2_0664E1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_066454A0	23_2_066454A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06643AF0	23_2_06643AF0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0664C1A0	23_2_0664C1A0

Sample file is different than original file name gathered from version info

Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2049605278.0000000005210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2050926215.0000000008780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2046661816.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000000.1999623192.0000000000672000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTAdpY.exe0 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2047314409.0000000004605000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2045415101.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000006.00000002.3257892823.00000000009D9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe	Binary or memory string: OriginalFilenameTAdpY.exe0 vs I-IN-6757165752-DEL983527_20240416074318.exe

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: I-IN-6757165752-DEL983527_20240416074318.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lvPAYFCXxuNokO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, v9Lsz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, VFo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, 5FJ0H20tobu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, NtdoTGO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, XBsYgp.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, AwxUa2Na.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, GthVfMhBIDZsikYfbV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, GthVfMhBIDZsikYfbV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, GthVfMhBIDZsikYfbV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@34/16@1/1

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: \Sessions\1\BaseNamedObjects\UauolquHGTiwCPbhqo

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: I-IN-6757165752-DEL983527_20240416074318.exe	Virustotal: Detection: 38%
Source: I-IN-6757165752-DEL983527_20240416074318.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File read: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Source: unknown	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp3CAB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp6C08.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp8712.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp3CAB.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp6C08.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp8712.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains potential unpacker

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static file information: File size 1220096 > 1048576

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x101a00

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: TAdpY.pdb source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr
Source:	Binary string: TAdpY.pdbSHA256$ source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr

Data Obfuscation

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	.Net Code: UTWONTH4IN System.Reflection.Assembly.Load(byte[])
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	.Net Code: UTWONTH4IN System.Reflection.Assembly.Load(byte[])
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.5210000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	.Net Code: UTWONTH4IN System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: 0xAE22208A [Sun Jul 30 08:02:18 2062 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C044F push edx; iretd	6_2_011C0452
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C0617 push edx; iretd	6_2_011C061A
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C083B push edx; iretd	6_2_011C0846
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057AB497 pushfd ; iretd	7_2_057AB4A5
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057AB790 push eax; mov dword ptr [esp], edx	7_2_057AB7A4
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580AD85 pushad ; retf	7_2_0580AD86
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580AD8F pushad ; retf	7_2_0580AD90
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666FD30 push es; ret	13_2_0666FD40
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7AD85 pushad ; retf	14_2_05A7AD86
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7AD8F pushad ; retf	14_2_05A7AD90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F555 push es; iretd	19_2_0651F55C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F544 push es; iretd	19_2_0651F548
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F549 push es; iretd	19_2_0651F554
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F571 push es; iretd	19_2_0651F57C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F57D push es; iretd	19_2_0651F588
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F56D push es; iretd	19_2_0651F570
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F510 push es; iretd	19_2_0651F51C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F51D push es; iretd	19_2_0651F520
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F521 push es; iretd	19_2_0651F524
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F5DD push es; iretd	19_2_0651F5E0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F5C9 push es; iretd	19_2_0651F5CC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F5CD push es; iretd	19_2_0651F5DC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F595 push es; iretd	19_2_0651F5C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058BB790 push eax; mov dword ptr [esp], edx	20_2_058BB7A4
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AAD8F pushad ; retf	20_2_059AAD90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AAD85 pushad ; retf	20_2_059AAD86
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F56F push es; iretd	23_2_0663F570
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F523 push es; iretd	23_2_0663F524
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F51F push es; iretd	23_2_0663F520
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F5CB push es; iretd	23_2_0663F5CC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F5CF push es; iretd	23_2_0663F5DC

Source: I-IN-6757165752-DEL983527_20240416074318.exe	Static PE information: section name: .text entropy: 7.302752137448552
Source: lvPAYFCXxuNokO.exe.0.dr	Static PE information: section name: .text entropy: 7.302752137448552

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, bLsDodC9dxZmufLsM7.cs	High entropy of concatenated method names: 'tnbcSuQBSD', 'LytcsHBMLW', 'QjOcQtIilK', 'rdrcEbd7GB', 'RgRcA1fH9o', 'cPjQGciLog', 'CiwQ4TR2HU', 'Jp4QPD90hl', 'BDqQjvXuPp', 'SnXQYVos22'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, nhfSyuzJFOdslPLXFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uA9nDBddBL', 'ObRnxN2ay4', 'hOknrMUSdn', 'MkDnWQvY6y', 'NNtndOplvw', 'zGFnnbd1yV', 'hk0nV42MMa'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, xV3V00jGAKZuaVkDDLs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yucViHmKn0', 'J7kVhcD20a', 'dY4VZp7SJ0', 'evpV9J7KmM', 'NftVGgX9iH', 'f4YV4AoVsv', 'SHmVPv2OUJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	High entropy of concatenated method names: 'IspJSyFlux', 'DSoJg9wAjF', 'xwTJsPcU7M', 'NI3JTC9tfL', 'NYnJQoAqEr', 'ck7JcTpyu2', 'j66JEsBHn4', 'IoUJAb8vsf', 'kDMJFLkqbi', 'vnKJU6LKJW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, GthVfMhBIDZsikYfbV.cs	High entropy of concatenated method names: 'HI3siNI9IR', 'Mc0sh7sH32', 'npbsZmP1vd', 'lR7s9QTami', 'KkksGaH9rn', 'v6Ds4AtsWa', 'yu6sPPJCG1', 'Ht1sj8bIp0', 'kiPsYsxHPg', 'WuIseVXk9C'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, ejtyZU7BcN8UetYQpI.cs	High entropy of concatenated method names: 'p1fN0XvBl', 'BT37feIWG', 'xGYBnvJG7', 'LlGXxdJn5', 'oOofOx0Ll', 'xxwMlkJ1W', 'r6wZFo6Pp6xKh4IKTh', 'eevFIoksM8h7bv4Hg8', 'mrHdGXXAP', 'WHcVRPvhu'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, bDePM59Xt5x9dl3HgN.cs	High entropy of concatenated method names: 'OprWjFXkCp', 'ODrWevMPsD', 'uCcduWP0WS', 'D3mdvZa3Fv', 'LVKWo4GiCW', 'ykyWHDSlNg', 'HI3Wk73JmP', 'QyGWigUla8', 'stWWhwGOdS', 'nInWZaVEVY'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, Y3eBPliO2va2qRiV1F.cs	High entropy of concatenated method names: 'NoOT7SkjDo', 'HUVTBtJG2Y', 'ENPTLVur47', 'ckgTfkJBjo', 'N6pTxAL86L', 'tSETr2UhE9', 'I44TWqhhU2', 'TYqTdnktVH', 'aMHTnfRFcp', 'oyeTVTSAKw'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, iKfCgP3h43OMRoh0E8.cs	High entropy of concatenated method names: 'FMWQCIXDbR', 'GYZQXkZJrx', 'R28TaPMbSe', 'k15TtBWcuk', 'ReATl4sVD7', 'dqXT5Oxjxa', 'cmhTIWG9gA', 'DlhTK9irgO', 'hhoTwU4h9y', 's2uTmnMxqW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, v7cihKjrxhO6S7I5SMi.cs	High entropy of concatenated method names: 'BWynpUOoY6', 'p0sn8YE03F', 'QZRnNPWUTx', 'BlEn7DA5bH', 'GYsnCfGA7m', 'UrgnBGPykV', 'ASPnX4dXH2', 'HxLnLQ5nW9', 'xminf78LhC', 'WOMnM8vRH6'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, SM0phuoX9fO2vGZCYu.cs	High entropy of concatenated method names: 'eY3EgMVGNO', 'rsTETgJIkf', 'mHZEcfu90L', 'RAfceGCyBy', 'cMJczJjZMt', 'eEhEu3LXaE', 'jb8EvLUEV8', 'pBXEbl3nk7', 'a0fEJf2opu', 'nt0EOw3vvc'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, H2fMmTqQrVN2mJSPGE.cs	High entropy of concatenated method names: 'Dispose', 'LROvYFx6Ay', 'LSAb2hrjVg', 'S5AyyYIHia', 'EVfveSijBs', 'vDvvzMc2k8', 'ProcessDialogKey', 'uS0busnXQG', 'iuCbvyaYqx', 'zyGbbQURBp'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, IkZHHtAOEP4FrX5BlM.cs	High entropy of concatenated method names: 'rShnvAnDfR', 'FjLnJ1jbfj', 'nAYnOAXRfO', 'FbnngyGF5x', 'XmsnsjPH2f', 'CewnQPJURg', 'QvOnc6RMSm', 'wlldPoq5AY', 'E3pdj7sMPU', 'l54dYy2L30'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, NRRtimJECsZWEETFK5.cs	High entropy of concatenated method names: 'Kd7DLZ4Cgb', 'McDDfJbofh', 'BM3D0vmotm', 'tUUD20pYMO', 'bS2DtPE1xV', 'O9CDlykD42', 'H6gDIZEHHo', 'sNoDKiiZqn', 'ct1DmbAInr', 'VJ4DoaNn3J'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, kuh3VgDZySxiUHRqmA.cs	High entropy of concatenated method names: 'yyeEpnJ9a6', 'VdQE8oYx9f', 'vTXENm70gs', 'pCvE7P9HAi', 'ToFECQsQmo', 'bAkEBICED0', 'AISEXkH6B7', 'eO4ELFZaRx', 'ic9EfdcLkJ', 'GTSEMCNwJ9'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, UNVqJypR9t56v8qAZV.cs	High entropy of concatenated method names: 'V7svEX7erx', 'GB3vACUK8v', 'MtDvUbVsBN', 'BOkvqL8na4', 'IFivxGIFDx', 'bN3vrc1ufl', 'Cus6PUXxePdH6HDWZL', 'fdSt4Zi5mnxFXviarV', 'PoRgtYStEEjpcktENi', 'Ba4vvdHkPU'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, XhBEIedUkb1q7oOWI8.cs	High entropy of concatenated method names: 'yFfd0EaXTo', 'erjd2oDGch', 'QxudavBvan', 'GrDdtkRiIo', 'RWGdiD9pJa', 'S96dl2j2OJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, uASh73guWJ1e8ndRwQ.cs	High entropy of concatenated method names: 'CredgqZVkw', 'zJ5dsLVCcu', 'f3FdTdw9Lw', 'rNcdQGEENT', 'zMwdcggwYO', 'z1OdEjtCMD', 'rladAAjt2P', 'BZgdFwCBFf', 'FW2dU1qX7H', 'BWadqMdIXJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, EKXQYMcZujl2wbpaVr.cs	High entropy of concatenated method names: 'ToString', 'llVro67NJ7', 'RXbr20GNhS', 'SBXraXJVQZ', 'UJZrtI41Wi', 'Jonrl2Cp84', 'GKfr5LqnJi', 'v2lrIYdoEP', 'nRLrKELOGw', 'ljWrwLGg4H'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, bLsDodC9dxZmufLsM7.cs	High entropy of concatenated method names: 'tnbcSuQBSD', 'LytcsHBMLW', 'QjOcQtIilK', 'rdrcEbd7GB', 'RgRcA1fH9o', 'cPjQGciLog', 'CiwQ4TR2HU', 'Jp4QPD90hl', 'BDqQjvXuPp', 'SnXQYVos22'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, nhfSyuzJFOdslPLXFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uA9nDBddBL', 'ObRnxN2ay4', 'hOknrMUSdn', 'MkDnWQvY6y', 'NNtndOplvw', 'zGFnnbd1yV', 'hk0nV42MMa'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, xV3V00jGAKZuaVkDDLs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yucViHmKn0', 'J7kVhcD20a', 'dY4VZp7SJ0', 'evpV9J7KmM', 'NftVGgX9iH', 'f4YV4AoVsv', 'SHmVPv2OUJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	High entropy of concatenated method names: 'IspJSyFlux', 'DSoJg9wAjF', 'xwTJsPcU7M', 'NI3JTC9tfL', 'NYnJQoAqEr', 'ck7JcTpyu2', 'j66JEsBHn4', 'IoUJAb8vsf', 'kDMJFLkqbi', 'vnKJU6LKJW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, GthVfMhBIDZsikYfbV.cs	High entropy of concatenated method names: 'HI3siNI9IR', 'Mc0sh7sH32', 'npbsZmP1vd', 'lR7s9QTami', 'KkksGaH9rn', 'v6Ds4AtsWa', 'yu6sPPJCG1', 'Ht1sj8bIp0', 'kiPsYsxHPg', 'WuIseVXk9C'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, ejtyZU7BcN8UetYQpI.cs	High entropy of concatenated method names: 'p1fN0XvBl', 'BT37feIWG', 'xGYBnvJG7', 'LlGXxdJn5', 'oOofOx0Ll', 'xxwMlkJ1W', 'r6wZFo6Pp6xKh4IKTh', 'eevFIoksM8h7bv4Hg8', 'mrHdGXXAP', 'WHcVRPvhu'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, bDePM59Xt5x9dl3HgN.cs	High entropy of concatenated method names: 'OprWjFXkCp', 'ODrWevMPsD', 'uCcduWP0WS', 'D3mdvZa3Fv', 'LVKWo4GiCW', 'ykyWHDSlNg', 'HI3Wk73JmP', 'QyGWigUla8', 'stWWhwGOdS', 'nInWZaVEVY'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, Y3eBPliO2va2qRiV1F.cs	High entropy of concatenated method names: 'NoOT7SkjDo', 'HUVTBtJG2Y', 'ENPTLVur47', 'ckgTfkJBjo', 'N6pTxAL86L', 'tSETr2UhE9', 'I44TWqhhU2', 'TYqTdnktVH', 'aMHTnfRFcp', 'oyeTVTSAKw'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, iKfCgP3h43OMRoh0E8.cs	High entropy of concatenated method names: 'FMWQCIXDbR', 'GYZQXkZJrx', 'R28TaPMbSe', 'k15TtBWcuk', 'ReATl4sVD7', 'dqXT5Oxjxa', 'cmhTIWG9gA', 'DlhTK9irgO', 'hhoTwU4h9y', 's2uTmnMxqW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, v7cihKjrxhO6S7I5SMi.cs	High entropy of concatenated method names: 'BWynpUOoY6', 'p0sn8YE03F', 'QZRnNPWUTx', 'BlEn7DA5bH', 'GYsnCfGA7m', 'UrgnBGPykV', 'ASPnX4dXH2', 'HxLnLQ5nW9', 'xminf78LhC', 'WOMnM8vRH6'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, SM0phuoX9fO2vGZCYu.cs	High entropy of concatenated method names: 'eY3EgMVGNO', 'rsTETgJIkf', 'mHZEcfu90L', 'RAfceGCyBy', 'cMJczJjZMt', 'eEhEu3LXaE', 'jb8EvLUEV8', 'pBXEbl3nk7', 'a0fEJf2opu', 'nt0EOw3vvc'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, H2fMmTqQrVN2mJSPGE.cs	High entropy of concatenated method names: 'Dispose', 'LROvYFx6Ay', 'LSAb2hrjVg', 'S5AyyYIHia', 'EVfveSijBs', 'vDvvzMc2k8', 'ProcessDialogKey', 'uS0busnXQG', 'iuCbvyaYqx', 'zyGbbQURBp'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, IkZHHtAOEP4FrX5BlM.cs	High entropy of concatenated method names: 'rShnvAnDfR', 'FjLnJ1jbfj', 'nAYnOAXRfO', 'FbnngyGF5x', 'XmsnsjPH2f', 'CewnQPJURg', 'QvOnc6RMSm', 'wlldPoq5AY', 'E3pdj7sMPU', 'l54dYy2L30'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, NRRtimJECsZWEETFK5.cs	High entropy of concatenated method names: 'Kd7DLZ4Cgb', 'McDDfJbofh', 'BM3D0vmotm', 'tUUD20pYMO', 'bS2DtPE1xV', 'O9CDlykD42', 'H6gDIZEHHo', 'sNoDKiiZqn', 'ct1DmbAInr', 'VJ4DoaNn3J'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, kuh3VgDZySxiUHRqmA.cs	High entropy of concatenated method names: 'yyeEpnJ9a6', 'VdQE8oYx9f', 'vTXENm70gs', 'pCvE7P9HAi', 'ToFECQsQmo', 'bAkEBICED0', 'AISEXkH6B7', 'eO4ELFZaRx', 'ic9EfdcLkJ', 'GTSEMCNwJ9'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, UNVqJypR9t56v8qAZV.cs	High entropy of concatenated method names: 'V7svEX7erx', 'GB3vACUK8v', 'MtDvUbVsBN', 'BOkvqL8na4', 'IFivxGIFDx', 'bN3vrc1ufl', 'Cus6PUXxePdH6HDWZL', 'fdSt4Zi5mnxFXviarV', 'PoRgtYStEEjpcktENi', 'Ba4vvdHkPU'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, XhBEIedUkb1q7oOWI8.cs	High entropy of concatenated method names: 'yFfd0EaXTo', 'erjd2oDGch', 'QxudavBvan', 'GrDdtkRiIo', 'RWGdiD9pJa', 'S96dl2j2OJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, uASh73guWJ1e8ndRwQ.cs	High entropy of concatenated method names: 'CredgqZVkw', 'zJ5dsLVCcu', 'f3FdTdw9Lw', 'rNcdQGEENT', 'zMwdcggwYO', 'z1OdEjtCMD', 'rladAAjt2P', 'BZgdFwCBFf', 'FW2dU1qX7H', 'BWadqMdIXJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, EKXQYMcZujl2wbpaVr.cs	High entropy of concatenated method names: 'ToString', 'llVro67NJ7', 'RXbr20GNhS', 'SBXraXJVQZ', 'UJZrtI41Wi', 'Jonrl2Cp84', 'GKfr5LqnJi', 'v2lrIYdoEP', 'nRLrKELOGw', 'ljWrwLGg4H'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, bLsDodC9dxZmufLsM7.cs	High entropy of concatenated method names: 'tnbcSuQBSD', 'LytcsHBMLW', 'QjOcQtIilK', 'rdrcEbd7GB', 'RgRcA1fH9o', 'cPjQGciLog', 'CiwQ4TR2HU', 'Jp4QPD90hl', 'BDqQjvXuPp', 'SnXQYVos22'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, nhfSyuzJFOdslPLXFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uA9nDBddBL', 'ObRnxN2ay4', 'hOknrMUSdn', 'MkDnWQvY6y', 'NNtndOplvw', 'zGFnnbd1yV', 'hk0nV42MMa'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, xV3V00jGAKZuaVkDDLs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yucViHmKn0', 'J7kVhcD20a', 'dY4VZp7SJ0', 'evpV9J7KmM', 'NftVGgX9iH', 'f4YV4AoVsv', 'SHmVPv2OUJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	High entropy of concatenated method names: 'IspJSyFlux', 'DSoJg9wAjF', 'xwTJsPcU7M', 'NI3JTC9tfL', 'NYnJQoAqEr', 'ck7JcTpyu2', 'j66JEsBHn4', 'IoUJAb8vsf', 'kDMJFLkqbi', 'vnKJU6LKJW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, GthVfMhBIDZsikYfbV.cs	High entropy of concatenated method names: 'HI3siNI9IR', 'Mc0sh7sH32', 'npbsZmP1vd', 'lR7s9QTami', 'KkksGaH9rn', 'v6Ds4AtsWa', 'yu6sPPJCG1', 'Ht1sj8bIp0', 'kiPsYsxHPg', 'WuIseVXk9C'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, ejtyZU7BcN8UetYQpI.cs	High entropy of concatenated method names: 'p1fN0XvBl', 'BT37feIWG', 'xGYBnvJG7', 'LlGXxdJn5', 'oOofOx0Ll', 'xxwMlkJ1W', 'r6wZFo6Pp6xKh4IKTh', 'eevFIoksM8h7bv4Hg8', 'mrHdGXXAP', 'WHcVRPvhu'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, bDePM59Xt5x9dl3HgN.cs	High entropy of concatenated method names: 'OprWjFXkCp', 'ODrWevMPsD', 'uCcduWP0WS', 'D3mdvZa3Fv', 'LVKWo4GiCW', 'ykyWHDSlNg', 'HI3Wk73JmP', 'QyGWigUla8', 'stWWhwGOdS', 'nInWZaVEVY'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, Y3eBPliO2va2qRiV1F.cs	High entropy of concatenated method names: 'NoOT7SkjDo', 'HUVTBtJG2Y', 'ENPTLVur47', 'ckgTfkJBjo', 'N6pTxAL86L', 'tSETr2UhE9', 'I44TWqhhU2', 'TYqTdnktVH', 'aMHTnfRFcp', 'oyeTVTSAKw'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, iKfCgP3h43OMRoh0E8.cs	High entropy of concatenated method names: 'FMWQCIXDbR', 'GYZQXkZJrx', 'R28TaPMbSe', 'k15TtBWcuk', 'ReATl4sVD7', 'dqXT5Oxjxa', 'cmhTIWG9gA', 'DlhTK9irgO', 'hhoTwU4h9y', 's2uTmnMxqW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, v7cihKjrxhO6S7I5SMi.cs	High entropy of concatenated method names: 'BWynpUOoY6', 'p0sn8YE03F', 'QZRnNPWUTx', 'BlEn7DA5bH', 'GYsnCfGA7m', 'UrgnBGPykV', 'ASPnX4dXH2', 'HxLnLQ5nW9', 'xminf78LhC', 'WOMnM8vRH6'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, SM0phuoX9fO2vGZCYu.cs	High entropy of concatenated method names: 'eY3EgMVGNO', 'rsTETgJIkf', 'mHZEcfu90L', 'RAfceGCyBy', 'cMJczJjZMt', 'eEhEu3LXaE', 'jb8EvLUEV8', 'pBXEbl3nk7', 'a0fEJf2opu', 'nt0EOw3vvc'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, H2fMmTqQrVN2mJSPGE.cs	High entropy of concatenated method names: 'Dispose', 'LROvYFx6Ay', 'LSAb2hrjVg', 'S5AyyYIHia', 'EVfveSijBs', 'vDvvzMc2k8', 'ProcessDialogKey', 'uS0busnXQG', 'iuCbvyaYqx', 'zyGbbQURBp'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, IkZHHtAOEP4FrX5BlM.cs	High entropy of concatenated method names: 'rShnvAnDfR', 'FjLnJ1jbfj', 'nAYnOAXRfO', 'FbnngyGF5x', 'XmsnsjPH2f', 'CewnQPJURg', 'QvOnc6RMSm', 'wlldPoq5AY', 'E3pdj7sMPU', 'l54dYy2L30'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, NRRtimJECsZWEETFK5.cs	High entropy of concatenated method names: 'Kd7DLZ4Cgb', 'McDDfJbofh', 'BM3D0vmotm', 'tUUD20pYMO', 'bS2DtPE1xV', 'O9CDlykD42', 'H6gDIZEHHo', 'sNoDKiiZqn', 'ct1DmbAInr', 'VJ4DoaNn3J'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, kuh3VgDZySxiUHRqmA.cs	High entropy of concatenated method names: 'yyeEpnJ9a6', 'VdQE8oYx9f', 'vTXENm70gs', 'pCvE7P9HAi', 'ToFECQsQmo', 'bAkEBICED0', 'AISEXkH6B7', 'eO4ELFZaRx', 'ic9EfdcLkJ', 'GTSEMCNwJ9'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, UNVqJypR9t56v8qAZV.cs	High entropy of concatenated method names: 'V7svEX7erx', 'GB3vACUK8v', 'MtDvUbVsBN', 'BOkvqL8na4', 'IFivxGIFDx', 'bN3vrc1ufl', 'Cus6PUXxePdH6HDWZL', 'fdSt4Zi5mnxFXviarV', 'PoRgtYStEEjpcktENi', 'Ba4vvdHkPU'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, XhBEIedUkb1q7oOWI8.cs	High entropy of concatenated method names: 'yFfd0EaXTo', 'erjd2oDGch', 'QxudavBvan', 'GrDdtkRiIo', 'RWGdiD9pJa', 'S96dl2j2OJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, uASh73guWJ1e8ndRwQ.cs	High entropy of concatenated method names: 'CredgqZVkw', 'zJ5dsLVCcu', 'f3FdTdw9Lw', 'rNcdQGEENT', 'zMwdcggwYO', 'z1OdEjtCMD', 'rladAAjt2P', 'BZgdFwCBFf', 'FW2dU1qX7H', 'BWadqMdIXJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, EKXQYMcZujl2wbpaVr.cs	High entropy of concatenated method names: 'ToString', 'llVro67NJ7', 'RXbr20GNhS', 'SBXraXJVQZ', 'UJZrtI41Wi', 'Jonrl2Cp84', 'GKfr5LqnJi', 'v2lrIYdoEP', 'nRLrKELOGw', 'ljWrwLGg4H'

Drops PE files

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe			Jump to dropped file
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 2892, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 6130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 7130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 7270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 8270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 8830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 9830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: A830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: B830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 11C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 1650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 5190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 68A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 79E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 89E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 92C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 68A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 5120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 5F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 6F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 7080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 9880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: A880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: B880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 15B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 5330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 68E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 78E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 7A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 9330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: A330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: B330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: C330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 5200000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7266	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2436	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Window / User API: threadDelayed 1370	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Window / User API: threadDelayed 2611	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Window / User API: threadDelayed 372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Window / User API: threadDelayed 2414	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 1104
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 1894
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 567
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 2419

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 428	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 4432	Thread sleep count: 1370 > 30	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99884s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99729s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 4432	Thread sleep count: 2611 > 30	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98415s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 6768	Thread sleep count: 372 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 6768	Thread sleep count: 2414 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 2584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4524	Thread sleep count: 1104 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99872s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4524	Thread sleep count: 1894 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99511s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98841s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98511s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98295s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6300	Thread sleep count: 567 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6300	Thread sleep count: 2419 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99311s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98756s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98516s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99884	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99729	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99293	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98415	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99872
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99750
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99511
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98953
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98841
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98511
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98295
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99311
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98875
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98756
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98516
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98391
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: boqXv.exe, 0000000E.00000002.2205274446.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: lvPAYFCXxuNokO.exe, 0000000D.00000002.3260904802.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: boqXv.exe, 00000013.00000002.3258852117.0000000001449000.00000004.00000020.00020000.00000000.sdmp, boqXv.exe, 00000017.00000002.3258520541.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000006.00000002.3258730321.0000000000F8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Memory allocated: page read and write | page guard

Adds a directory exclusion to Windows Defender

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory written: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp3CAB.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp6C08.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp8712.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.3263477131.000000000325A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.000000000318F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2271415533.00000000051CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003252000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2211535462.000000000469C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087305207.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 5504, type: MEMORYSTR

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.3265824601.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2271415533.00000000051CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2211535462.000000000469C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087305207.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 5504, type: MEMORYSTR

Remote Access Functionality

Found malware configuration

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.3263477131.000000000325A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.000000000318F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2271415533.00000000051CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003252000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2211535462.000000000469C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087305207.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 5504, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.253.239	mail.clslk.com	United States		46606	UNIFIEDLAYER-AS-1US	true

Contacted Domains

Name	IP	Active
mail.clslk.com	50.87.253.239	true

AV Detection

Source: 20.2.boqXv.exe.51cd170.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.clslk.com", "Username": "gm@clslk.com", "Password": "NUZRATHinam1978"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Virustotal: Detection: 38%	Perma Link
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Virustotal: Detection: 38%	Perma Link

Multi AV Scanner detection for submitted file

Source: I-IN-6757165752-DEL983527_20240416074318.exe	Virustotal: Detection: 38%			Perma Link
Source: I-IN-6757165752-DEL983527_20240416074318.exe	ReversingLabs: Detection: 36%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Joe Sandbox ML: detected

Found inlined nop instructions (likely shell or obfuscated code)

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: TAdpY.pdb source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr
Source:	Binary string: TAdpY.pdbSHA256$ source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 4x nop then jmp 0298343Bh	0_2_02982F14
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 4x nop then jmp 051D21E3h	7_2_051D1CBC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 4x nop then jmp 02582703h	14_2_025821DC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 4x nop then jmp 05382703h	20_2_053821DC

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49704 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49705 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49711 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49715 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49715 -> 50.87.253.239:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 50.87.253.239:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 50.87.253.239 50.87.253.239

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 50.87.253.239:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.clslk.com

Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000006.00000002.3263613363.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 0000000D.00000002.3264075421.0000000003197000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.3265824601.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000017.00000002.3263477131.000000000325A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.clslk.com
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2046661816.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 00000007.00000002.2085294887.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000E.00000002.2207950596.0000000002845000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000014.00000002.2263918730.0000000003378000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd)Microsoft
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 00000007.00000002.2087305207.0000000004237000.00000004.00000800.00020000.00000000.sdmp, lvPAYFCXxuNokO.exe, 0000000D.00000002.3257368648.0000000000436000.00000040.00000400.00020000.00000000.sdmp, boqXv.exe, 0000000E.00000002.2211535462.000000000469C000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000014.00000002.2271415533.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, umlRMRbjNqD.cs	.Net Code: fKv0R
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, umlRMRbjNqD.cs	.Net Code: fKv0R

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.5210000.4.raw.unpack, LoginForm.cs

Large array initialization: : array initializer size 33603

.NET source code contains very large strings

Source: I-IN-6757165752-DEL983527_20240416074318.exe, Form1.cs	Long String: Length: 131612
Source: lvPAYFCXxuNokO.exe.0.dr, Form1.cs	Long String: Length: 131612

Detected potential crypto function

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 0_2_0114D59C	0_2_0114D59C
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 0_2_02985258	0_2_02985258
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011CA3D8	6_2_011CA3D8
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011CD658	6_2_011CD658
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C9810	6_2_011C9810
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C4AD0	6_2_011C4AD0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C3EB8	6_2_011C3EB8
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C4200	6_2_011C4200
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_0602B5A0	6_2_0602B5A0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06029F7C	6_2_06029F7C
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06030E60	6_2_06030E60
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06039F80	6_2_06039F80
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06035B80	6_2_06035B80
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06033398	6_2_06033398
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_060343F8	6_2_060343F8
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06039038	6_2_06039038
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_0603C1A0	6_2_0603C1A0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_060354A0	6_2_060354A0
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_06033AF0	6_2_06033AF0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0165D59C	7_2_0165D59C
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_051D40B8	7_2_051D40B8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A1C00	7_2_057A1C00
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A0040	7_2_057A0040
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A001B	7_2_057A001B
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057A1BF0	7_2_057A1BF0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808D90	7_2_05808D90
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05800D00	7_2_05800D00
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580A488	7_2_0580A488
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E078	7_2_0580E078
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E390	7_2_0580E390
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580B338	7_2_0580B338
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05800240	7_2_05800240
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05805CC0	7_2_05805CC0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808CFB	7_2_05808CFB
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D400	7_2_0580D400
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580BC59	7_2_0580BC59
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580A479	7_2_0580A479
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580BFE1	7_2_0580BFE1
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809ED8	7_2_05809ED8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809EE8	7_2_05809EE8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D639	7_2_0580D639
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580C1C8	7_2_0580C1C8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580C1D8	7_2_0580C1D8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D081	7_2_0580D081
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D090	7_2_0580D090
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E068	7_2_0580E068
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580E381	7_2_0580E381
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580D3F0	7_2_0580D3F0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808280	7_2_05808280
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580B2B3	7_2_0580B2B3
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580F2E9	7_2_0580F2E9
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809A10	7_2_05809A10
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05809A20	7_2_05809A20
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_05808271	7_2_05808271
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C69650	7_2_08C69650
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C63B80	7_2_08C63B80
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C6CB68	7_2_08C6CB68
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C6CFA0	7_2_08C6CFA0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C6E240	7_2_08C6E240
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C65690	7_2_08C65690
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C656A0	7_2_08C656A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_08C69640	7_2_08C69640
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0168A3D0	13_2_0168A3D0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0168D650	13_2_0168D650
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01689810	13_2_01689810
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01684AD0	13_2_01684AD0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01683EB8	13_2_01683EB8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_01684200	13_2_01684200
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666D391	13_2_0666D391
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666A29C	13_2_0666A29C
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666B5A0	13_2_0666B5A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06669F7C	13_2_06669F7C
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06679F80	13_2_06679F80
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_066743F8	13_2_066743F8
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06675B80	13_2_06675B80
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06670040	13_2_06670040
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06679038	13_2_06679038
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0667C1A0	13_2_0667C1A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0667E1A0	13_2_0667E1A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_066754A0	13_2_066754A0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06673AF0	13_2_06673AF0
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_06673398	13_2_06673398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_00C7D59C	14_2_00C7D59C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_025845D8	14_2_025845D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78D90	14_2_05A78D90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A70D00	14_2_05A70D00
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7A488	14_2_05A7A488
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E078	14_2_05A7E078
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E390	14_2_05A7E390
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7B338	14_2_05A7B338
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A70240	14_2_05A70240
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78CFB	14_2_05A78CFB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D400	14_2_05A7D400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7A479	14_2_05A7A479
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7BFE1	14_2_05A7BFE1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79EE8	14_2_05A79EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79ED8	14_2_05A79ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D639	14_2_05A7D639
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7C1C8	14_2_05A7C1C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7C1D8	14_2_05A7C1D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D081	14_2_05A7D081
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D090	14_2_05A7D090
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E068	14_2_05A7E068
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7E381	14_2_05A7E381
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7D3F0	14_2_05A7D3F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7B303	14_2_05A7B303
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78280	14_2_05A78280
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79A20	14_2_05A79A20
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A79A10	14_2_05A79A10
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A78272	14_2_05A78272
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B89780	14_2_05B89780
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8C71F	14_2_05B8C71F
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B89770	14_2_05B89770
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8C2C5	14_2_05B8C2C5
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8E231	14_2_05B8E231
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8E240	14_2_05B8E240
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8CFA0	14_2_05B8CFA0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B83B80	14_2_05B83B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B83B70	14_2_05B83B70
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05B8CB68	14_2_05B8CB68
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0157D1F0	19_2_0157D1F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01574200	19_2_01574200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01574AD0	19_2_01574AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01573EB8	19_2_01573EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_01579EA8	19_2_01579EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651B658	19_2_0651B658
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06519DCC	19_2_06519DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06529F80	19_2_06529F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_065243F8	19_2_065243F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06523398	19_2_06523398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06525B80	19_2_06525B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06520040	19_2_06520040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0652902A	19_2_0652902A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0652E190	19_2_0652E190
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_065254A0	19_2_065254A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_06523ADB	19_2_06523ADB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0652C1A0	19_2_0652C1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_01B0D59C	20_2_01B0D59C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_05384518	20_2_05384518
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058B9B00	20_2_058B9B00
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058B0006	20_2_058B0006
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058B0040	20_2_058B0040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8D90	20_2_059A8D90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A0D00	20_2_059A0D00
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AA488	20_2_059AA488
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE078	20_2_059AE078
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE390	20_2_059AE390
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AB338	20_2_059AB338
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A0240	20_2_059A0240
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A5CC0	20_2_059A5CC0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8CFA	20_2_059A8CFA
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD400	20_2_059AD400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059ABC59	20_2_059ABC59
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AA479	20_2_059AA479
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059ABFE1	20_2_059ABFE1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9ED8	20_2_059A9ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9EE8	20_2_059A9EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD639	20_2_059AD639
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AC1D8	20_2_059AC1D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AC1C8	20_2_059AC1C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD090	20_2_059AD090
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD081	20_2_059AD081
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE068	20_2_059AE068
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AE381	20_2_059AE381
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AD3F0	20_2_059AD3F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8280	20_2_059A8280
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AB2B3	20_2_059AB2B3
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AF2E9	20_2_059AF2E9
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9A10	20_2_059A9A10
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A9A20	20_2_059A9A20
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059A8271	20_2_059A8271
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0178D128	23_2_0178D128
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_017896F0	23_2_017896F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01784AD0	23_2_01784AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01783EB8	23_2_01783EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01789EA8	23_2_01789EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_01784200	23_2_01784200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663D1F1	23_2_0663D1F1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663A0EC	23_2_0663A0EC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663B400	23_2_0663B400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06639DCC	23_2_06639DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06649F80	23_2_06649F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_066443F8	23_2_066443F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06645B80	23_2_06645B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06643398	23_2_06643398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06640040	23_2_06640040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06649038	23_2_06649038
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0664E1A0	23_2_0664E1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_066454A0	23_2_066454A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_06643AF0	23_2_06643AF0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0664C1A0	23_2_0664C1A0

Sample file is different than original file name gathered from version info

Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2049605278.0000000005210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2050926215.0000000008780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2046661816.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000000.1999623192.0000000000672000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTAdpY.exe0 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2047314409.0000000004605000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2045415101.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000006.00000002.3257892823.00000000009D9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs I-IN-6757165752-DEL983527_20240416074318.exe
Source: I-IN-6757165752-DEL983527_20240416074318.exe	Binary or memory string: OriginalFilenameTAdpY.exe0 vs I-IN-6757165752-DEL983527_20240416074318.exe

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: I-IN-6757165752-DEL983527_20240416074318.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lvPAYFCXxuNokO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, v9Lsz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, VFo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, 5FJ0H20tobu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, NtdoTGO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, XBsYgp.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, AwxUa2Na.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, GthVfMhBIDZsikYfbV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, GthVfMhBIDZsikYfbV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, GthVfMhBIDZsikYfbV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@34/16@1/1

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: \Sessions\1\BaseNamedObjects\UauolquHGTiwCPbhqo

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: I-IN-6757165752-DEL983527_20240416074318.exe	Virustotal: Detection: 38%
Source: I-IN-6757165752-DEL983527_20240416074318.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File read: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Source: unknown	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp3CAB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp6C08.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp8712.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp3CAB.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp6C08.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp8712.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains potential unpacker

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static file information: File size 1220096 > 1048576

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x101a00

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: TAdpY.pdb source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr
Source:	Binary string: TAdpY.pdbSHA256$ source: I-IN-6757165752-DEL983527_20240416074318.exe, boqXv.exe.6.dr, lvPAYFCXxuNokO.exe.0.dr

Data Obfuscation

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	.Net Code: UTWONTH4IN System.Reflection.Assembly.Load(byte[])
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	.Net Code: UTWONTH4IN System.Reflection.Assembly.Load(byte[])
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.5210000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	.Net Code: UTWONTH4IN System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: I-IN-6757165752-DEL983527_20240416074318.exe

Static PE information: 0xAE22208A [Sun Jul 30 08:02:18 2062 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C044F push edx; iretd	6_2_011C0452
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C0617 push edx; iretd	6_2_011C061A
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Code function: 6_2_011C083B push edx; iretd	6_2_011C0846
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057AB497 pushfd ; iretd	7_2_057AB4A5
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_057AB790 push eax; mov dword ptr [esp], edx	7_2_057AB7A4
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580AD85 pushad ; retf	7_2_0580AD86
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 7_2_0580AD8F pushad ; retf	7_2_0580AD90
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Code function: 13_2_0666FD30 push es; ret	13_2_0666FD40
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7AD85 pushad ; retf	14_2_05A7AD86
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 14_2_05A7AD8F pushad ; retf	14_2_05A7AD90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F555 push es; iretd	19_2_0651F55C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F544 push es; iretd	19_2_0651F548
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F549 push es; iretd	19_2_0651F554
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F571 push es; iretd	19_2_0651F57C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F57D push es; iretd	19_2_0651F588
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F56D push es; iretd	19_2_0651F570
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F510 push es; iretd	19_2_0651F51C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F51D push es; iretd	19_2_0651F520
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F521 push es; iretd	19_2_0651F524
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F5DD push es; iretd	19_2_0651F5E0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F5C9 push es; iretd	19_2_0651F5CC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F5CD push es; iretd	19_2_0651F5DC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0651F595 push es; iretd	19_2_0651F5C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_058BB790 push eax; mov dword ptr [esp], edx	20_2_058BB7A4
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AAD8F pushad ; retf	20_2_059AAD90
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 20_2_059AAD85 pushad ; retf	20_2_059AAD86
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F56F push es; iretd	23_2_0663F570
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F523 push es; iretd	23_2_0663F524
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F51F push es; iretd	23_2_0663F520
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F5CB push es; iretd	23_2_0663F5CC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 23_2_0663F5CF push es; iretd	23_2_0663F5DC

Source: I-IN-6757165752-DEL983527_20240416074318.exe	Static PE information: section name: .text entropy: 7.302752137448552
Source: lvPAYFCXxuNokO.exe.0.dr	Static PE information: section name: .text entropy: 7.302752137448552

Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, bLsDodC9dxZmufLsM7.cs	High entropy of concatenated method names: 'tnbcSuQBSD', 'LytcsHBMLW', 'QjOcQtIilK', 'rdrcEbd7GB', 'RgRcA1fH9o', 'cPjQGciLog', 'CiwQ4TR2HU', 'Jp4QPD90hl', 'BDqQjvXuPp', 'SnXQYVos22'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, nhfSyuzJFOdslPLXFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uA9nDBddBL', 'ObRnxN2ay4', 'hOknrMUSdn', 'MkDnWQvY6y', 'NNtndOplvw', 'zGFnnbd1yV', 'hk0nV42MMa'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, xV3V00jGAKZuaVkDDLs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yucViHmKn0', 'J7kVhcD20a', 'dY4VZp7SJ0', 'evpV9J7KmM', 'NftVGgX9iH', 'f4YV4AoVsv', 'SHmVPv2OUJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, YxbjYqthqJwkh9ampC.cs	High entropy of concatenated method names: 'IspJSyFlux', 'DSoJg9wAjF', 'xwTJsPcU7M', 'NI3JTC9tfL', 'NYnJQoAqEr', 'ck7JcTpyu2', 'j66JEsBHn4', 'IoUJAb8vsf', 'kDMJFLkqbi', 'vnKJU6LKJW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, GthVfMhBIDZsikYfbV.cs	High entropy of concatenated method names: 'HI3siNI9IR', 'Mc0sh7sH32', 'npbsZmP1vd', 'lR7s9QTami', 'KkksGaH9rn', 'v6Ds4AtsWa', 'yu6sPPJCG1', 'Ht1sj8bIp0', 'kiPsYsxHPg', 'WuIseVXk9C'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, ejtyZU7BcN8UetYQpI.cs	High entropy of concatenated method names: 'p1fN0XvBl', 'BT37feIWG', 'xGYBnvJG7', 'LlGXxdJn5', 'oOofOx0Ll', 'xxwMlkJ1W', 'r6wZFo6Pp6xKh4IKTh', 'eevFIoksM8h7bv4Hg8', 'mrHdGXXAP', 'WHcVRPvhu'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, bDePM59Xt5x9dl3HgN.cs	High entropy of concatenated method names: 'OprWjFXkCp', 'ODrWevMPsD', 'uCcduWP0WS', 'D3mdvZa3Fv', 'LVKWo4GiCW', 'ykyWHDSlNg', 'HI3Wk73JmP', 'QyGWigUla8', 'stWWhwGOdS', 'nInWZaVEVY'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, Y3eBPliO2va2qRiV1F.cs	High entropy of concatenated method names: 'NoOT7SkjDo', 'HUVTBtJG2Y', 'ENPTLVur47', 'ckgTfkJBjo', 'N6pTxAL86L', 'tSETr2UhE9', 'I44TWqhhU2', 'TYqTdnktVH', 'aMHTnfRFcp', 'oyeTVTSAKw'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, iKfCgP3h43OMRoh0E8.cs	High entropy of concatenated method names: 'FMWQCIXDbR', 'GYZQXkZJrx', 'R28TaPMbSe', 'k15TtBWcuk', 'ReATl4sVD7', 'dqXT5Oxjxa', 'cmhTIWG9gA', 'DlhTK9irgO', 'hhoTwU4h9y', 's2uTmnMxqW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, v7cihKjrxhO6S7I5SMi.cs	High entropy of concatenated method names: 'BWynpUOoY6', 'p0sn8YE03F', 'QZRnNPWUTx', 'BlEn7DA5bH', 'GYsnCfGA7m', 'UrgnBGPykV', 'ASPnX4dXH2', 'HxLnLQ5nW9', 'xminf78LhC', 'WOMnM8vRH6'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, SM0phuoX9fO2vGZCYu.cs	High entropy of concatenated method names: 'eY3EgMVGNO', 'rsTETgJIkf', 'mHZEcfu90L', 'RAfceGCyBy', 'cMJczJjZMt', 'eEhEu3LXaE', 'jb8EvLUEV8', 'pBXEbl3nk7', 'a0fEJf2opu', 'nt0EOw3vvc'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, H2fMmTqQrVN2mJSPGE.cs	High entropy of concatenated method names: 'Dispose', 'LROvYFx6Ay', 'LSAb2hrjVg', 'S5AyyYIHia', 'EVfveSijBs', 'vDvvzMc2k8', 'ProcessDialogKey', 'uS0busnXQG', 'iuCbvyaYqx', 'zyGbbQURBp'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, IkZHHtAOEP4FrX5BlM.cs	High entropy of concatenated method names: 'rShnvAnDfR', 'FjLnJ1jbfj', 'nAYnOAXRfO', 'FbnngyGF5x', 'XmsnsjPH2f', 'CewnQPJURg', 'QvOnc6RMSm', 'wlldPoq5AY', 'E3pdj7sMPU', 'l54dYy2L30'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, NRRtimJECsZWEETFK5.cs	High entropy of concatenated method names: 'Kd7DLZ4Cgb', 'McDDfJbofh', 'BM3D0vmotm', 'tUUD20pYMO', 'bS2DtPE1xV', 'O9CDlykD42', 'H6gDIZEHHo', 'sNoDKiiZqn', 'ct1DmbAInr', 'VJ4DoaNn3J'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, kuh3VgDZySxiUHRqmA.cs	High entropy of concatenated method names: 'yyeEpnJ9a6', 'VdQE8oYx9f', 'vTXENm70gs', 'pCvE7P9HAi', 'ToFECQsQmo', 'bAkEBICED0', 'AISEXkH6B7', 'eO4ELFZaRx', 'ic9EfdcLkJ', 'GTSEMCNwJ9'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, UNVqJypR9t56v8qAZV.cs	High entropy of concatenated method names: 'V7svEX7erx', 'GB3vACUK8v', 'MtDvUbVsBN', 'BOkvqL8na4', 'IFivxGIFDx', 'bN3vrc1ufl', 'Cus6PUXxePdH6HDWZL', 'fdSt4Zi5mnxFXviarV', 'PoRgtYStEEjpcktENi', 'Ba4vvdHkPU'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, XhBEIedUkb1q7oOWI8.cs	High entropy of concatenated method names: 'yFfd0EaXTo', 'erjd2oDGch', 'QxudavBvan', 'GrDdtkRiIo', 'RWGdiD9pJa', 'S96dl2j2OJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, uASh73guWJ1e8ndRwQ.cs	High entropy of concatenated method names: 'CredgqZVkw', 'zJ5dsLVCcu', 'f3FdTdw9Lw', 'rNcdQGEENT', 'zMwdcggwYO', 'z1OdEjtCMD', 'rladAAjt2P', 'BZgdFwCBFf', 'FW2dU1qX7H', 'BWadqMdIXJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.8780000.7.raw.unpack, EKXQYMcZujl2wbpaVr.cs	High entropy of concatenated method names: 'ToString', 'llVro67NJ7', 'RXbr20GNhS', 'SBXraXJVQZ', 'UJZrtI41Wi', 'Jonrl2Cp84', 'GKfr5LqnJi', 'v2lrIYdoEP', 'nRLrKELOGw', 'ljWrwLGg4H'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, bLsDodC9dxZmufLsM7.cs	High entropy of concatenated method names: 'tnbcSuQBSD', 'LytcsHBMLW', 'QjOcQtIilK', 'rdrcEbd7GB', 'RgRcA1fH9o', 'cPjQGciLog', 'CiwQ4TR2HU', 'Jp4QPD90hl', 'BDqQjvXuPp', 'SnXQYVos22'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, nhfSyuzJFOdslPLXFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uA9nDBddBL', 'ObRnxN2ay4', 'hOknrMUSdn', 'MkDnWQvY6y', 'NNtndOplvw', 'zGFnnbd1yV', 'hk0nV42MMa'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, xV3V00jGAKZuaVkDDLs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yucViHmKn0', 'J7kVhcD20a', 'dY4VZp7SJ0', 'evpV9J7KmM', 'NftVGgX9iH', 'f4YV4AoVsv', 'SHmVPv2OUJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, YxbjYqthqJwkh9ampC.cs	High entropy of concatenated method names: 'IspJSyFlux', 'DSoJg9wAjF', 'xwTJsPcU7M', 'NI3JTC9tfL', 'NYnJQoAqEr', 'ck7JcTpyu2', 'j66JEsBHn4', 'IoUJAb8vsf', 'kDMJFLkqbi', 'vnKJU6LKJW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, GthVfMhBIDZsikYfbV.cs	High entropy of concatenated method names: 'HI3siNI9IR', 'Mc0sh7sH32', 'npbsZmP1vd', 'lR7s9QTami', 'KkksGaH9rn', 'v6Ds4AtsWa', 'yu6sPPJCG1', 'Ht1sj8bIp0', 'kiPsYsxHPg', 'WuIseVXk9C'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, ejtyZU7BcN8UetYQpI.cs	High entropy of concatenated method names: 'p1fN0XvBl', 'BT37feIWG', 'xGYBnvJG7', 'LlGXxdJn5', 'oOofOx0Ll', 'xxwMlkJ1W', 'r6wZFo6Pp6xKh4IKTh', 'eevFIoksM8h7bv4Hg8', 'mrHdGXXAP', 'WHcVRPvhu'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, bDePM59Xt5x9dl3HgN.cs	High entropy of concatenated method names: 'OprWjFXkCp', 'ODrWevMPsD', 'uCcduWP0WS', 'D3mdvZa3Fv', 'LVKWo4GiCW', 'ykyWHDSlNg', 'HI3Wk73JmP', 'QyGWigUla8', 'stWWhwGOdS', 'nInWZaVEVY'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, Y3eBPliO2va2qRiV1F.cs	High entropy of concatenated method names: 'NoOT7SkjDo', 'HUVTBtJG2Y', 'ENPTLVur47', 'ckgTfkJBjo', 'N6pTxAL86L', 'tSETr2UhE9', 'I44TWqhhU2', 'TYqTdnktVH', 'aMHTnfRFcp', 'oyeTVTSAKw'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, iKfCgP3h43OMRoh0E8.cs	High entropy of concatenated method names: 'FMWQCIXDbR', 'GYZQXkZJrx', 'R28TaPMbSe', 'k15TtBWcuk', 'ReATl4sVD7', 'dqXT5Oxjxa', 'cmhTIWG9gA', 'DlhTK9irgO', 'hhoTwU4h9y', 's2uTmnMxqW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, v7cihKjrxhO6S7I5SMi.cs	High entropy of concatenated method names: 'BWynpUOoY6', 'p0sn8YE03F', 'QZRnNPWUTx', 'BlEn7DA5bH', 'GYsnCfGA7m', 'UrgnBGPykV', 'ASPnX4dXH2', 'HxLnLQ5nW9', 'xminf78LhC', 'WOMnM8vRH6'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, SM0phuoX9fO2vGZCYu.cs	High entropy of concatenated method names: 'eY3EgMVGNO', 'rsTETgJIkf', 'mHZEcfu90L', 'RAfceGCyBy', 'cMJczJjZMt', 'eEhEu3LXaE', 'jb8EvLUEV8', 'pBXEbl3nk7', 'a0fEJf2opu', 'nt0EOw3vvc'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, H2fMmTqQrVN2mJSPGE.cs	High entropy of concatenated method names: 'Dispose', 'LROvYFx6Ay', 'LSAb2hrjVg', 'S5AyyYIHia', 'EVfveSijBs', 'vDvvzMc2k8', 'ProcessDialogKey', 'uS0busnXQG', 'iuCbvyaYqx', 'zyGbbQURBp'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, IkZHHtAOEP4FrX5BlM.cs	High entropy of concatenated method names: 'rShnvAnDfR', 'FjLnJ1jbfj', 'nAYnOAXRfO', 'FbnngyGF5x', 'XmsnsjPH2f', 'CewnQPJURg', 'QvOnc6RMSm', 'wlldPoq5AY', 'E3pdj7sMPU', 'l54dYy2L30'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, NRRtimJECsZWEETFK5.cs	High entropy of concatenated method names: 'Kd7DLZ4Cgb', 'McDDfJbofh', 'BM3D0vmotm', 'tUUD20pYMO', 'bS2DtPE1xV', 'O9CDlykD42', 'H6gDIZEHHo', 'sNoDKiiZqn', 'ct1DmbAInr', 'VJ4DoaNn3J'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, kuh3VgDZySxiUHRqmA.cs	High entropy of concatenated method names: 'yyeEpnJ9a6', 'VdQE8oYx9f', 'vTXENm70gs', 'pCvE7P9HAi', 'ToFECQsQmo', 'bAkEBICED0', 'AISEXkH6B7', 'eO4ELFZaRx', 'ic9EfdcLkJ', 'GTSEMCNwJ9'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, UNVqJypR9t56v8qAZV.cs	High entropy of concatenated method names: 'V7svEX7erx', 'GB3vACUK8v', 'MtDvUbVsBN', 'BOkvqL8na4', 'IFivxGIFDx', 'bN3vrc1ufl', 'Cus6PUXxePdH6HDWZL', 'fdSt4Zi5mnxFXviarV', 'PoRgtYStEEjpcktENi', 'Ba4vvdHkPU'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, XhBEIedUkb1q7oOWI8.cs	High entropy of concatenated method names: 'yFfd0EaXTo', 'erjd2oDGch', 'QxudavBvan', 'GrDdtkRiIo', 'RWGdiD9pJa', 'S96dl2j2OJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, uASh73guWJ1e8ndRwQ.cs	High entropy of concatenated method names: 'CredgqZVkw', 'zJ5dsLVCcu', 'f3FdTdw9Lw', 'rNcdQGEENT', 'zMwdcggwYO', 'z1OdEjtCMD', 'rladAAjt2P', 'BZgdFwCBFf', 'FW2dU1qX7H', 'BWadqMdIXJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.48b45d8.3.raw.unpack, EKXQYMcZujl2wbpaVr.cs	High entropy of concatenated method names: 'ToString', 'llVro67NJ7', 'RXbr20GNhS', 'SBXraXJVQZ', 'UJZrtI41Wi', 'Jonrl2Cp84', 'GKfr5LqnJi', 'v2lrIYdoEP', 'nRLrKELOGw', 'ljWrwLGg4H'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, bLsDodC9dxZmufLsM7.cs	High entropy of concatenated method names: 'tnbcSuQBSD', 'LytcsHBMLW', 'QjOcQtIilK', 'rdrcEbd7GB', 'RgRcA1fH9o', 'cPjQGciLog', 'CiwQ4TR2HU', 'Jp4QPD90hl', 'BDqQjvXuPp', 'SnXQYVos22'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, nhfSyuzJFOdslPLXFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uA9nDBddBL', 'ObRnxN2ay4', 'hOknrMUSdn', 'MkDnWQvY6y', 'NNtndOplvw', 'zGFnnbd1yV', 'hk0nV42MMa'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, xV3V00jGAKZuaVkDDLs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yucViHmKn0', 'J7kVhcD20a', 'dY4VZp7SJ0', 'evpV9J7KmM', 'NftVGgX9iH', 'f4YV4AoVsv', 'SHmVPv2OUJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, YxbjYqthqJwkh9ampC.cs	High entropy of concatenated method names: 'IspJSyFlux', 'DSoJg9wAjF', 'xwTJsPcU7M', 'NI3JTC9tfL', 'NYnJQoAqEr', 'ck7JcTpyu2', 'j66JEsBHn4', 'IoUJAb8vsf', 'kDMJFLkqbi', 'vnKJU6LKJW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, GthVfMhBIDZsikYfbV.cs	High entropy of concatenated method names: 'HI3siNI9IR', 'Mc0sh7sH32', 'npbsZmP1vd', 'lR7s9QTami', 'KkksGaH9rn', 'v6Ds4AtsWa', 'yu6sPPJCG1', 'Ht1sj8bIp0', 'kiPsYsxHPg', 'WuIseVXk9C'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, ejtyZU7BcN8UetYQpI.cs	High entropy of concatenated method names: 'p1fN0XvBl', 'BT37feIWG', 'xGYBnvJG7', 'LlGXxdJn5', 'oOofOx0Ll', 'xxwMlkJ1W', 'r6wZFo6Pp6xKh4IKTh', 'eevFIoksM8h7bv4Hg8', 'mrHdGXXAP', 'WHcVRPvhu'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, bDePM59Xt5x9dl3HgN.cs	High entropy of concatenated method names: 'OprWjFXkCp', 'ODrWevMPsD', 'uCcduWP0WS', 'D3mdvZa3Fv', 'LVKWo4GiCW', 'ykyWHDSlNg', 'HI3Wk73JmP', 'QyGWigUla8', 'stWWhwGOdS', 'nInWZaVEVY'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, Y3eBPliO2va2qRiV1F.cs	High entropy of concatenated method names: 'NoOT7SkjDo', 'HUVTBtJG2Y', 'ENPTLVur47', 'ckgTfkJBjo', 'N6pTxAL86L', 'tSETr2UhE9', 'I44TWqhhU2', 'TYqTdnktVH', 'aMHTnfRFcp', 'oyeTVTSAKw'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, iKfCgP3h43OMRoh0E8.cs	High entropy of concatenated method names: 'FMWQCIXDbR', 'GYZQXkZJrx', 'R28TaPMbSe', 'k15TtBWcuk', 'ReATl4sVD7', 'dqXT5Oxjxa', 'cmhTIWG9gA', 'DlhTK9irgO', 'hhoTwU4h9y', 's2uTmnMxqW'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, v7cihKjrxhO6S7I5SMi.cs	High entropy of concatenated method names: 'BWynpUOoY6', 'p0sn8YE03F', 'QZRnNPWUTx', 'BlEn7DA5bH', 'GYsnCfGA7m', 'UrgnBGPykV', 'ASPnX4dXH2', 'HxLnLQ5nW9', 'xminf78LhC', 'WOMnM8vRH6'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, SM0phuoX9fO2vGZCYu.cs	High entropy of concatenated method names: 'eY3EgMVGNO', 'rsTETgJIkf', 'mHZEcfu90L', 'RAfceGCyBy', 'cMJczJjZMt', 'eEhEu3LXaE', 'jb8EvLUEV8', 'pBXEbl3nk7', 'a0fEJf2opu', 'nt0EOw3vvc'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, H2fMmTqQrVN2mJSPGE.cs	High entropy of concatenated method names: 'Dispose', 'LROvYFx6Ay', 'LSAb2hrjVg', 'S5AyyYIHia', 'EVfveSijBs', 'vDvvzMc2k8', 'ProcessDialogKey', 'uS0busnXQG', 'iuCbvyaYqx', 'zyGbbQURBp'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, IkZHHtAOEP4FrX5BlM.cs	High entropy of concatenated method names: 'rShnvAnDfR', 'FjLnJ1jbfj', 'nAYnOAXRfO', 'FbnngyGF5x', 'XmsnsjPH2f', 'CewnQPJURg', 'QvOnc6RMSm', 'wlldPoq5AY', 'E3pdj7sMPU', 'l54dYy2L30'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, NRRtimJECsZWEETFK5.cs	High entropy of concatenated method names: 'Kd7DLZ4Cgb', 'McDDfJbofh', 'BM3D0vmotm', 'tUUD20pYMO', 'bS2DtPE1xV', 'O9CDlykD42', 'H6gDIZEHHo', 'sNoDKiiZqn', 'ct1DmbAInr', 'VJ4DoaNn3J'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, kuh3VgDZySxiUHRqmA.cs	High entropy of concatenated method names: 'yyeEpnJ9a6', 'VdQE8oYx9f', 'vTXENm70gs', 'pCvE7P9HAi', 'ToFECQsQmo', 'bAkEBICED0', 'AISEXkH6B7', 'eO4ELFZaRx', 'ic9EfdcLkJ', 'GTSEMCNwJ9'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, UNVqJypR9t56v8qAZV.cs	High entropy of concatenated method names: 'V7svEX7erx', 'GB3vACUK8v', 'MtDvUbVsBN', 'BOkvqL8na4', 'IFivxGIFDx', 'bN3vrc1ufl', 'Cus6PUXxePdH6HDWZL', 'fdSt4Zi5mnxFXviarV', 'PoRgtYStEEjpcktENi', 'Ba4vvdHkPU'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, XhBEIedUkb1q7oOWI8.cs	High entropy of concatenated method names: 'yFfd0EaXTo', 'erjd2oDGch', 'QxudavBvan', 'GrDdtkRiIo', 'RWGdiD9pJa', 'S96dl2j2OJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, uASh73guWJ1e8ndRwQ.cs	High entropy of concatenated method names: 'CredgqZVkw', 'zJ5dsLVCcu', 'f3FdTdw9Lw', 'rNcdQGEENT', 'zMwdcggwYO', 'z1OdEjtCMD', 'rladAAjt2P', 'BZgdFwCBFf', 'FW2dU1qX7H', 'BWadqMdIXJ'
Source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4959ff8.1.raw.unpack, EKXQYMcZujl2wbpaVr.cs	High entropy of concatenated method names: 'ToString', 'llVro67NJ7', 'RXbr20GNhS', 'SBXraXJVQZ', 'UJZrtI41Wi', 'Jonrl2Cp84', 'GKfr5LqnJi', 'v2lrIYdoEP', 'nRLrKELOGw', 'ljWrwLGg4H'

Drops PE files

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe			Jump to dropped file
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 2892, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 6130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 7130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 7270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 8270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 8830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 9830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: A830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: B830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 11C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 1650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 5190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 68A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 79E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 89E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 92C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 68A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory allocated: 5120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 5F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 6F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 7080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 9880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: A880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: B880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 15B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 5330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 68E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 78E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 7A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 9330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: A330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: B330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: C330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 5200000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7266	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2436	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Window / User API: threadDelayed 1370	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Window / User API: threadDelayed 2611	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Window / User API: threadDelayed 372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Window / User API: threadDelayed 2414	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 1104
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 1894
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 567
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 2419

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 428	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 4432	Thread sleep count: 1370 > 30	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99884s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99729s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 4432	Thread sleep count: 2611 > 30	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98415s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 6768	Thread sleep count: 372 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 6768	Thread sleep count: 2414 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe TID: 4436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 2584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4524	Thread sleep count: 1104 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99872s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4524	Thread sleep count: 1894 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99511s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98841s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98511s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -98295s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6300	Thread sleep count: 567 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6300	Thread sleep count: 2419 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99311s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98756s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98516s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6000	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99884	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99729	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99293	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98415	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99872
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99750
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99511
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98953
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98841
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98511
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98295
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99311
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98875
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98756
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98516
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98391
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: boqXv.exe, 0000000E.00000002.2205274446.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: lvPAYFCXxuNokO.exe, 0000000D.00000002.3260904802.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: boqXv.exe, 00000013.00000002.3258852117.0000000001449000.00000004.00000020.00020000.00000000.sdmp, boqXv.exe, 00000017.00000002.3258520541.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: I-IN-6757165752-DEL983527_20240416074318.exe, 00000006.00000002.3258730321.0000000000F8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Memory allocated: page read and write | page guard

Adds a directory exclusion to Windows Defender

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Memory written: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp2D1A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Process created: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe "C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp3CAB.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Process created: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe "C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp6C08.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvPAYFCXxuNokO" /XML "C:\Users\user\AppData\Local\Temp\tmp8712.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.3263477131.000000000325A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3265824601.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.000000000318F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2271415533.00000000051CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003252000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2211535462.000000000469C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087305207.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 5504, type: MEMORYSTR

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\I-IN-6757165752-DEL983527_20240416074318.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lvPAYFCXxuNokO.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a777a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.5208190.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.46d7e60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I-IN-6757165752-DEL983527_20240416074318.exe.4a3c788.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4272d20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.boqXv.exe.51cd170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.boqXv.exe.469ce40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lvPAYFCXxuNokO.exe.4237d00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.3265824601.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3263477131.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2271415533.00000000051CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3263613363.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047314409.0000000004A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2211535462.000000000469C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3264075421.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087305207.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: I-IN-6757165752-DEL983527_20240416074318.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvPAYFCXxuNokO.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 5504, type: MEMORYSTR

Remote Access Functionality