Windows Analysis Report
product11221.exe

Overview

General Information

Sample name: product11221.exe
Analysis ID: 1427941
MD5: 3b35eb02919cc28d6faea03c96519504
SHA1: 66588cd5d127e83379de633e178b288fe3fad794
SHA256: 8f44b390ba295e14b6a18221d7d74acbc1ad2b4440db3380364e9b7964f43670
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: product11221.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Avira: detection malicious, Label: HEUR/AGEN.1308740
Found malware configuration
Source: 0.2.product11221.exe.3c37938.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.torosdental.com", "Username": "mehmet@torosdental.com", "Password": "mehmet19201923000"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Virustotal: Detection: 40% Perma Link
Multi AV Scanner detection for submitted file
Source: product11221.exe ReversingLabs: Detection: 34%
Source: product11221.exe Virustotal: Detection: 40% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: product11221.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: product11221.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: product11221.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\product11221.exe Code function: 4x nop then jmp 029D650Dh 0_2_029D5D86
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 4x nop then jmp 048C5D3Dh 8_2_048C55B6
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 4x nop then jmp 048C5D3Dh 8_2_048C5624

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.product11221.exe.3c37938.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.3958d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3bf9d18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.391b150.1.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49711 -> 159.253.43.92:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49711 -> 159.253.43.92:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: product11221.exe, 00000007.00000002.4458811928.0000000003471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: product11221.exe, 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003471000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 00000008.00000002.2053147413.000000000391B000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4449616776.0000000000437000.00000040.00000400.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: product11221.exe, 00000007.00000002.4458811928.0000000003897000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003656000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.000000000369E000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003739000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003948000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003799000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003629000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000003107000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002E26000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.torosdental.com
Source: product11221.exe, 00000000.00000002.2015274120.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003421000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 00000008.00000002.2052064192.00000000028F9000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: product11221.exe, 00000007.00000002.4458811928.0000000003897000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003656000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.000000000369E000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003739000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003948000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003799000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003629000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000003107000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002E26000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://torosdental.com
Source: product11221.exe, xOqrCwLHNYO.exe.0.dr String found in binary or memory: http://weather.yahooapis.com/forecastrss?w=4118
Source: product11221.exe, xOqrCwLHNYO.exe.0.dr String found in binary or memory: http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648
Source: product11221.exe, xOqrCwLHNYO.exe.0.dr String found in binary or memory: http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009
Source: product11221.exe, xOqrCwLHNYO.exe.0.dr String found in binary or memory: http://xml.weather.yahoo.com/ns/rss/1.0
Source: product11221.exe, 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4449616027.0000000000438000.00000040.00000400.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 00000008.00000002.2053147413.000000000391B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: product11221.exe, 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, product11221.exe, 00000007.00000002.4458811928.0000000003421000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 00000008.00000002.2053147413.000000000391B000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4457367618.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4449616776.0000000000437000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: product11221.exe, 00000007.00000002.4458811928.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: product11221.exe, 00000007.00000002.4458811928.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, BZbr69Oq62w.cs .Net Code: _9aQLv
Source: 0.2.product11221.exe.3bf9d18.3.raw.unpack, BZbr69Oq62w.cs .Net Code: _9aQLv
Installs a global keyboard hook
Source: C:\Users\user\Desktop\product11221.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\product11221.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\product11221.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.product11221.exe.3bf9d18.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.product11221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.xOqrCwLHNYO.exe.3958d70.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.xOqrCwLHNYO.exe.391b150.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.product11221.exe.3c37938.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.xOqrCwLHNYO.exe.3958d70.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.product11221.exe.3bf9d18.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.xOqrCwLHNYO.exe.391b150.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.product11221.exe.2bb616c.0.raw.unpack, LoginForm.cs Large array initialization: : array initializer size 33603
Source: 0.2.product11221.exe.7070000.7.raw.unpack, LoginForm.cs Large array initialization: : array initializer size 33603
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\product11221.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E202E0 0_2_06E202E0
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E21190 0_2_06E21190
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E22EE8 0_2_06E22EE8
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E234A0 0_2_06E234A0
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E23258 0_2_06E23258
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E22030 0_2_06E22030
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_029D7AC8 0_2_029D7AC8
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_029D12E0 0_2_029D12E0
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_029D8B90 0_2_029D8B90
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_029D0006 0_2_029D0006
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_029D0040 0_2_029D0040
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_02B7DDCC 0_2_02B7DDCC
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_05140006 0_2_05140006
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_05140040 0_2_05140040
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_0514FC18 0_2_0514FC18
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_0514FC40 0_2_0514FC40
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_05738150 0_2_05738150
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_05737108 0_2_05737108
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_0573F8D0 0_2_0573F8D0
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_0573EDC0 0_2_0573EDC0
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_0573EDB0 0_2_0573EDB0
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_0573F838 0_2_0573F838
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_0573F804 0_2_0573F804
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_016541F0 7_2_016541F0
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_01654AC0 7_2_01654AC0
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_0165D790 7_2_0165D790
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_01653EA8 7_2_01653EA8
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_070B9760 7_2_070B9760
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_070BF748 7_2_070BF748
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_070BF758 7_2_070BF758
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_070B32E8 7_2_070B32E8
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_072507B6 7_2_072507B6
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_072534C0 7_2_072534C0
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_0725B4D8 7_2_0725B4D8
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_07255AD8 7_2_07255AD8
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_07258928 7_2_07258928
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_0725E998 7_2_0725E998
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_0725ADF8 7_2_0725ADF8
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_07259048 7_2_07259048
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_0288DDCC 8_2_0288DDCC
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_048C0007 8_2_048C0007
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_048C0040 8_2_048C0040
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_048C12E0 8_2_048C12E0
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_048C7300 8_2_048C7300
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_04E80040 8_2_04E80040
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_04E8001F 8_2_04E8001F
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_04E8FC40 8_2_04E8FC40
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_04E8FC2D 8_2_04E8FC2D
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F502E0 8_2_06F502E0
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F541E8 8_2_06F541E8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F51190 8_2_06F51190
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F53ED0 8_2_06F53ED0
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F5F7B8 8_2_06F5F7B8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F53491 8_2_06F53491
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F502D1 8_2_06F502D1
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F53258 8_2_06F53258
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F53248 8_2_06F53248
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F5F380 8_2_06F5F380
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F58378 8_2_06F58378
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F58369 8_2_06F58369
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F510A0 8_2_06F510A0
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F52030 8_2_06F52030
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F52020 8_2_06F52020
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F541D8 8_2_06F541D8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F55150 8_2_06F55150
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F52EE8 8_2_06F52EE8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F52ED8 8_2_06F52ED8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F53EC1 8_2_06F53EC1
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F51E39 8_2_06F51E39
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F5EF48 8_2_06F5EF48
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F568B8 8_2_06F568B8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F568A9 8_2_06F568A9
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_00F241F0 12_2_00F241F0
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_00F24AC0 12_2_00F24AC0
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_00F23EA8 12_2_00F23EA8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A267E8 12_2_06A267E8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A234C0 12_2_06A234C0
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A2B4D8 12_2_06A2B4D8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A20040 12_2_06A20040
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A2E988 12_2_06A2E988
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A28928 12_2_06A28928
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A29D40 12_2_06A29D40
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A25AC8 12_2_06A25AC8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A29033 12_2_06A29033
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A20007 12_2_06A20007
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A2ADF8 12_2_06A2ADF8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_07069760 12_2_07069760
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_0706F748 12_2_0706F748
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_0706F758 12_2_0706F758
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_070632E8 12_2_070632E8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe 8F44B390BA295E14B6A18221D7D74ACBC1AD2B4440DB3380364E9B7964F43670
Sample file is different than original file name gathered from version info
Source: product11221.exe, 00000000.00000002.2015722109.000000000456E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs product11221.exe
Source: product11221.exe, 00000000.00000002.2014077895.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs product11221.exe
Source: product11221.exe, 00000000.00000002.2019743288.0000000007070000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs product11221.exe
Source: product11221.exe, 00000000.00000002.2015274120.0000000002B91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs product11221.exe
Source: product11221.exe, 00000000.00000002.2015274120.0000000002C35000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9e74042d-4d85-4c31-8894-a88555129434.exe4 vs product11221.exe
Source: product11221.exe, 00000000.00000002.2021653752.000000000A3D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs product11221.exe
Source: product11221.exe, 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9e74042d-4d85-4c31-8894-a88555129434.exe4 vs product11221.exe
Source: product11221.exe, 00000000.00000000.1967101567.000000000077C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNoby.exe8 vs product11221.exe
Source: product11221.exe, 00000007.00000002.4449616027.000000000043A000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename9e74042d-4d85-4c31-8894-a88555129434.exe4 vs product11221.exe
Source: product11221.exe, 00000007.00000002.4450560914.00000000014F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs product11221.exe
Source: product11221.exe Binary or memory string: OriginalFilenameNoby.exe8 vs product11221.exe
Uses 32bit PE files
Source: product11221.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.product11221.exe.3bf9d18.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.product11221.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.xOqrCwLHNYO.exe.3958d70.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.xOqrCwLHNYO.exe.391b150.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.product11221.exe.3c37938.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.xOqrCwLHNYO.exe.3958d70.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.product11221.exe.3bf9d18.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.xOqrCwLHNYO.exe.391b150.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: product11221.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xOqrCwLHNYO.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, hcbDrTLwTC.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, CMQvPoq8cy.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, e5d0T5Np.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, 71JxQ8.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, CnG3o.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, 2FAFIfKp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, gdOsx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, gdOsx.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, tG6Nh.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product11221.exe.3c37938.1.raw.unpack, tG6Nh.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, ePL8Fxm711Audi9El6.cs Security API names: _0020.SetAccessControl
Source: 0.2.product11221.exe.4800970.4.raw.unpack, ePL8Fxm711Audi9El6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.product11221.exe.4800970.4.raw.unpack, ePL8Fxm711Audi9El6.cs Security API names: _0020.AddAccessRule
Source: 0.2.product11221.exe.4800970.4.raw.unpack, MpFwBAcbgQCpk1mmyY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/11@4/3
Source: C:\Users\user\Desktop\product11221.exe File created: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_03
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Mutant created: \Sessions\1\BaseNamedObjects\bFIZsxAoPWtaCgIiia
Source: C:\Users\user\Desktop\product11221.exe File created: C:\Users\user\AppData\Local\Temp\PO_00UT11 Jump to behavior
Source: product11221.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: product11221.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: product11221.exe ReversingLabs: Detection: 34%
Source: product11221.exe Virustotal: Detection: 40%
Source: C:\Users\user\Desktop\product11221.exe File read: C:\Users\user\Desktop\product11221.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\product11221.exe "C:\Users\user\Desktop\product11221.exe"
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOqrCwLHNYO" /XML "C:\Users\user\AppData\Local\Temp\tmp8776.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Users\user\Desktop\product11221.exe "C:\Users\user\Desktop\product11221.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOqrCwLHNYO" /XML "C:\Users\user\AppData\Local\Temp\tmp94C4.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process created: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe"
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe" Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOqrCwLHNYO" /XML "C:\Users\user\AppData\Local\Temp\tmp8776.tmp" Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Users\user\Desktop\product11221.exe "C:\Users\user\Desktop\product11221.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOqrCwLHNYO" /XML "C:\Users\user\AppData\Local\Temp\tmp94C4.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process created: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe" Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\product11221.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\product11221.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: product11221.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: product11221.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.product11221.exe.2bb616c.0.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.product11221.exe.7070000.7.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.product11221.exe.4800970.4.raw.unpack, ePL8Fxm711Audi9El6.cs .Net Code: ylT4AG4VpV System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E12AF7 pushad ; retf 0_2_06E12B05
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E14DE9 pushfd ; ret 0_2_06E14DEA
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E115BA push ds; retf 0_2_06E115BB
Source: C:\Users\user\Desktop\product11221.exe Code function: 0_2_06E13757 push 3861A8E5h; iretd 0_2_06E1375C
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_01650B4D push edi; ret 7_2_01650CC2
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_01650C95 push edi; retf 7_2_01650C3A
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_048C8755 push FFFFFF8Bh; iretd 8_2_048C8757
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F5BAA8 pushfd ; ret 8_2_06F5BAA9
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F50BE7 pushad ; retf 8_2_06F50BE8
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 8_2_06F50BDD pushad ; retf 8_2_06F50BDE
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_00F20C95 push edi; retf 12_2_00F20C3A
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_00F20C3D push edi; ret 12_2_00F20CC2
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_06A2E582 push 8B03C7ADh; iretd 12_2_06A2E59A
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Code function: 12_2_07067410 push es; ret 12_2_07067420
Source: product11221.exe Static PE information: section name: .text entropy: 7.934603388933473
Source: xOqrCwLHNYO.exe.0.dr Static PE information: section name: .text entropy: 7.934603388933473
Source: 0.2.product11221.exe.4800970.4.raw.unpack, ePL8Fxm711Audi9El6.cs High entropy of concatenated method names: 'wRjkrLe2fd', 'rWckwiBB76', 'iuPk2rOAN1', 'ppJkU2F36J', 'dxakLAA5Zo', 'YqtkqAV0dy', 'PDnk6BMXSx', 'AsLkmItX1t', 'n24kClt1Gm', 'QXUkYZuFri'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, CqQnJJtHSwhLT1Gquw.cs High entropy of concatenated method names: 'dHs6wRswC2', 'HDo6UJKTZg', 'uNF6qusJRM', 'z7SqGmJ2RZ', 'jK1qzL1jyl', 'Iac63u2NP9', 'g8q6X8rgKO', 'JeL6M3hUbe', 'etC6kiRPcN', 'tgh64O2f2S'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, RhY1c2P0WZXAHyYbh5.cs High entropy of concatenated method names: 'dHcgctpSli', 'ub4gRlGxHP', 'crvgN1aUcr', 'oXpgsFA7J3', 'WPFgiYSBBP', 'Llmg07Lom5', 'kjxgtMpUpg', 'VCHgZq5xnJ', 'rqWgywcvc4', 'zdKgKEZIZP'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, wD3n2UN2dU7uJZPRxB.cs High entropy of concatenated method names: 'LEjqr3UYaD', 'Ulqq2Y3qgx', 'sAFqLqQMPg', 'xW0q6a2B4r', 'NFfqmpoOHL', 'S7gL94yrHN', 'NxNLxVDyWB', 'eqcL1mQjCa', 'nFWLHUbtPd', 'X43LlLWZMD'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, m34I9K2hUI0RHBPQdC.cs High entropy of concatenated method names: 'Dispose', 'L1HXlxHI6A', 'AvAMsu4ybY', 'XetWWSSstq', 'JIbXGdAIfN', 'bLaXz3a13o', 'ProcessDialogKey', 'nFvM3tnVER', 'EFKMXUimE8', 'JPjMMChsep'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, qjHMm0DIqSuMTeQ9Xo.cs High entropy of concatenated method names: 'C5M6SIVUES', 'A1N65pLgyd', 'qey6AcmUHJ', 'wLU6jHDhDi', 'BXK6Fx2Qkd', 'Yyt6BJrHhK', 'znj6Jh0RXK', 'hKP6ciXnpr', 'K0K6RD12WO', 'd5o6VWB6sn'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, cCJYv4x0iCSs5koaxn.cs High entropy of concatenated method names: 'bJ2bHkkBic', 'w9vbGCfwqo', 'tjD73VtY1B', 'gta7XyoVIv', 'mWWbKvY5sF', 'hEQbT5l3uB', 'NbYbPgCyhl', 'Sa8bfyuBQ4', 'SdQb8VW12k', 'OaHbI6AwO1'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, K8atoD406M0sq5aZAL.cs High entropy of concatenated method names: 'M2DX6pFwBA', 'qgQXmCpk1m', 'NaEXY0fwC6', 'oWHXEGBmfG', 'hbdXObfeD3', 'K2UXQ2dU7u', 'z6CqCfOJVCQUcHmvAd', 'hLU1uiSlE1dBRtAs1h', 'e2hXXIitBd', 'zcmXk3oaAB'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, Irg2HCMv2b4WpYyT8G.cs High entropy of concatenated method names: 'pF3APmG7V', 'zpTjZY5VT', 'U4ZB2GxMb', 'e3uJA9yfe', 'u4iRig8jF', 'iZmVpml0Z', 'xv28ysc060RT7MJRbQ', 'BsAHvorU45Q3dpRsNr', 'icm7bfFYX', 'LY6uVXIJT'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, BwMpPyRaE0fwC6gWHG.cs High entropy of concatenated method names: 'eYeUjcLwXV', 'wPmUBG9KGI', 'uSHUcmXqPn', 'yJ0URFkLPi', 'OoEUO3ooMg', 'xEkUQWXX8R', 'jgXUbODcmd', 'bm0U7BGgpV', 'I8IUhgMCf3', 'zDwUuM7AJI'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, QB3DRiIXEqxtRnkcyy.cs High entropy of concatenated method names: 'ToString', 'aYvQKGvQYk', 'silQs8OaH8', 'dlSQory2o5', 'PiiQiYHVMb', 'ntWQ0osLPV', 'EvoQn6hFfM', 'kRNQtWF3Zf', 'lpDQZynyyh', 'fRmQDTH7Bk'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, SbdAIfHNXLa3a13ogF.cs High entropy of concatenated method names: 'zhw7wa5GU2', 'dfu72d7oSI', 'WJL7Un4cwE', 'CG47LPT4Ou', 'qO07qDr2bM', 'HgH762NXws', 'hSA7m8opKT', 'k5F7CNuP3w', 'FTN7Y2m76Q', 'QAV7EUA7RS'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, KXMW7Ea1CHLkqtPRSN.cs High entropy of concatenated method names: 'AVIbYojMab', 'eHQbEjK10v', 'ToString', 'FaBbw9Mbcq', 'MOCb2DHBra', 'bZpbUlBdWV', 'wkGbLdB74r', 'ffBbqU9f2R', 'JpPb6o5qdH', 'koobmC5FUJ'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, p7p1H1X3ZeYoc7K5y2y.cs High entropy of concatenated method names: 'wIjhSDh8Ld', 'BNXh5800he', 'KlVhAraHWY', 'e8fhjKgu0I', 'NBshF9tCmB', 'Y1RhBoruTJ', 'fWNhJMIFu0', 'xV0hcWNhFC', 'SKlhR7htW2', 'tGnhVhm3nK'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, sP2atFfsvBrFmAIQXd.cs High entropy of concatenated method names: 'WxSOyrEIfl', 'aFuOT6IJEk', 'DPFOfSc4qx', 'DmnO8yHxcr', 'avJOsX0EMY', 'g6wOoKM8uj', 'Dq9Oib8Ykc', 'YOgO0gWhTu', 'EKuOneWeJu', 'nP1Ot8iSE5'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, lhseptG0IXPg6lYd3G.cs High entropy of concatenated method names: 'FIchXd1kTV', 'KDThk9BH7X', 'PZJh4xpKQp', 'DeAhwPXlis', 'rEPh2OyyqR', 'sZQhLdxuqM', 'qLKhqRgOCk', 'h1P71Lww8r', 'Bgd7HhctYh', 'wwd7lcAh2q'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, KjcfAqXk1CFG24lAX2A.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qx2ufgLm4M', 'sr1u8Nhw31', 'rU6uICxK5s', 'kJvuatAYSQ', 'Hjiu9LAp6Q', 'juyuxigf6q', 'to7u1nT03j'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, utnVERlRFKUimE80Pj.cs High entropy of concatenated method names: 'ubt7N1PhGk', 'HeQ7s9an2g', 'nL07oG8nKT', 'tpy7ipt0Ro', 'Jj97fjxpnE', 'XKx70Pj3iA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, f4DnlkzL3rGJrSHsJC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HI4hgFXHOX', 'N8ehO1l614', 'QjmhQ51cL0', 'BDIhb3HvOh', 'cY5h7TI5ql', 'X3qhhuOdvV', 'DOkhu3b6kj'
Source: 0.2.product11221.exe.4800970.4.raw.unpack, MpFwBAcbgQCpk1mmyY.cs High entropy of concatenated method names: 'dnu2fek4uD', 'hmh289RkQr', 'npj2IpkmtT', 'iFo2awa7SN', 'RcW29EuTv1', 'Lrq2xtVTQs', 'na421QFpbB', 'yWv2HPwp1m', 'WBi2lnP8AK', 'GPy2GFT0XO'
Drops PE files
Source: C:\Users\user\Desktop\product11221.exe File created: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOqrCwLHNYO" /XML "C:\Users\user\AppData\Local\Temp\tmp8776.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\product11221.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: product11221.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xOqrCwLHNYO.exe PID: 6800, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: product11221.exe, 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 00000008.00000002.2053147413.000000000391B000.00000004.00000800.00020000.00000000.sdmp, xOqrCwLHNYO.exe, 0000000C.00000002.4449616776.0000000000437000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 29C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 2B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 29C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 7C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 8C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 8DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 9DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: A450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 7C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 1650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 3420000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: 1800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 28B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 48B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 7590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 8590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 8740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 9740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 9D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 7590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: F20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 2C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory allocated: 4C10000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599855 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599734 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599625 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599515 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599399 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599296 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599062 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599248
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8623 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 980 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Window / User API: threadDelayed 3868 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Window / User API: threadDelayed 5933 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Window / User API: threadDelayed 2075
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Window / User API: threadDelayed 7746
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\product11221.exe TID: 5516 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2624 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599855s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599399s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -599062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99442s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -98016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -97031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -96047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -95937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -95828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -95719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe TID: 2676 Thread sleep time: -95609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 3208 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -599248s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98827s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98719s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97360s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97235s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -97110s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96985s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96860s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96735s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96610s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96485s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96360s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96235s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -96110s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95985s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95860s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95735s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95610s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95485s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95360s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95235s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -95110s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -94990s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -94860s >= -30000s
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe TID: 7492 Thread sleep time: -94735s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\product11221.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599855 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599734 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599625 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599515 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599399 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599296 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 599062 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99672 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99442 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98671 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98344 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 98016 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97797 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97141 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 97031 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96921 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96812 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96703 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96594 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96375 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96156 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 96047 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 95828 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 95719 Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Thread delayed: delay time: 95609 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 599248
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98827
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98719
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97360
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97235
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 97110
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96985
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96860
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96735
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96610
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96485
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96360
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96235
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 96110
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95985
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95860
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95735
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95610
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95485
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95360
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95235
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 95110
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 94990
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 94860
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Thread delayed: delay time: 94735
Source: product11221.exe, 00000007.00000002.4454733816.00000000017E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: xOqrCwLHNYO.exe, 0000000C.00000002.4449616776.0000000000437000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: xOqrCwLHNYO.exe, 0000000C.00000002.4454174198.0000000001021000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: xOqrCwLHNYO.exe, 0000000C.00000002.4449616776.0000000000437000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: VMwareVBox
Source: C:\Users\user\Desktop\product11221.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\product11221.exe Code function: 7_2_01657EC8 CheckRemoteDebuggerPresent, 7_2_01657EC8
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\product11221.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\product11221.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe"
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\product11221.exe Memory written: C:\Users\user\Desktop\product11221.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Memory written: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe" Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOqrCwLHNYO" /XML "C:\Users\user\AppData\Local\Temp\tmp8776.tmp" Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Process created: C:\Users\user\Desktop\product11221.exe "C:\Users\user\Desktop\product11221.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOqrCwLHNYO" /XML "C:\Users\user\AppData\Local\Temp\tmp94C4.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Process created: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe "C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Users\user\Desktop\product11221.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Users\user\Desktop\product11221.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\product11221.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.product11221.exe.3bf9d18.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.3958d70.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.391b150.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3c37938.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3c37938.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.3958d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3bf9d18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.391b150.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.4457367618.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4458811928.0000000003485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2053147413.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: product11221.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: product11221.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xOqrCwLHNYO.exe PID: 6800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xOqrCwLHNYO.exe PID: 7404, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\product11221.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\product11221.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\product11221.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\xOqrCwLHNYO.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.product11221.exe.3bf9d18.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.product11221.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.3958d70.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.391b150.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3c37938.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3c37938.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.3958d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3bf9d18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.391b150.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4449616027.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.4457367618.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4458811928.0000000003485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2053147413.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: product11221.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: product11221.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xOqrCwLHNYO.exe PID: 6800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xOqrCwLHNYO.exe PID: 7404, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.product11221.exe.3bf9d18.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.3958d70.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.391b150.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3c37938.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3c37938.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.3958d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.product11221.exe.3bf9d18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xOqrCwLHNYO.exe.391b150.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.4457367618.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4458811928.0000000003485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2053147413.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2015722109.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: product11221.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: product11221.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xOqrCwLHNYO.exe PID: 6800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xOqrCwLHNYO.exe PID: 7404, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427941 Sample: product11221.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 38 mail.torosdental.com 2->38 40 torosdental.com 2->40 42 2 other IPs or domains 2->42 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 11 other signatures 2->56 8 product11221.exe 8 2->8         started        12 xOqrCwLHNYO.exe 6 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\xOqrCwLHNYO.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp8776.tmp, XML 8->36 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 70 3 other signatures 8->70 14 product11221.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 22 xOqrCwLHNYO.exe 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 44 ip-api.com 208.95.112.1, 49708, 49713, 80 TUT-ASUS United States 14->44 46 torosdental.com 159.253.43.92, 49711, 49714, 49715 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 14->46 48 api.ipify.org 104.26.12.205, 443, 49707, 49712 CLOUDFLARENETUS United States 14->48 72 Installs a global keyboard hook 14->72 74 Loading BitLocker PowerShell Module 18->74 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->76 78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal ftp login credentials 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 32 conhost.exe 24->32         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
159.253.43.92
 torosdental.com Turkey
51559 NETINTERNETNetinternetBilisimTeknolojileriASTR false

Contacted Domains

Name IP Active
torosdental.com 159.253.43.92 true
api.ipify.org 104.26.12.205 true
ip-api.com 208.95.112.1 true
mail.torosdental.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://ip-api.com/line/?fields=hosting false
      		high