Edit tour

Windows Analysis Report
BL NO - SNKO05B250100198.exe

Overview

General Information

Sample name:	BL NO - SNKO05B250100198.exe
Analysis ID:	1630887
MD5:	74af05135535bf1b1b658be4054c6f9c
SHA1:	a0a0ff9ad3258273cfd5eeae3c141500582a928f
SHA256:	fcaced686feba6d013cb3ba8b56992c3c16279b0eab884a15422848e46fccfc3
Tags:	exeSnakeKeyloggeruser-cocaman
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

BL NO - SNKO05B250100198.exe (PID: 2148 cmdline: "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe" MD5: 74AF05135535BF1B1B658BE4054C6F9C)

powershell.exe (PID: 928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7596 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7244 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BL NO - SNKO05B250100198.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe" MD5: 74AF05135535BF1B1B658BE4054C6F9C)

BL NO - SNKO05B250100198.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe" MD5: 74AF05135535BF1B1B658BE4054C6F9C)

suoEnXDEHePT.exe (PID: 7520 cmdline: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe MD5: 74AF05135535BF1B1B658BE4054C6F9C)

schtasks.exe (PID: 7708 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

suoEnXDEHePT.exe (PID: 7752 cmdline: "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe" MD5: 74AF05135535BF1B1B658BE4054C6F9C)

suoEnXDEHePT.exe (PID: 7760 cmdline: "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe" MD5: 74AF05135535BF1B1B658BE4054C6F9C)

suoEnXDEHePT.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe" MD5: 74AF05135535BF1B1B658BE4054C6F9C)

suoEnXDEHePT.exe (PID: 7776 cmdline: "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe" MD5: 74AF05135535BF1B1B658BE4054C6F9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7090278007:AAFHPCzmcS80DwGLKVdiQJ_jsHgHEuSn0QY/sendMessage?chat_id=5217421430", "Token": "7090278007:AAFHPCzmcS80DwGLKVdiQJ_jsHgHEuSn0QY", "Chat_id": "5217421430", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.4178062543.000000000313F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x18b9:$a1: get_encryptedPassword 0x1ba5:$a2: get_encryptedUsername 0x16c5:$a3: get_timePasswordChanged 0x17c0:$a4: get_passwordField 0x18cf:$a5: set_encryptedPassword 0x2f99:$a7: get_logins 0x2efc:$a10: KeyLoggerEventArgs 0x2b67:$a11: KeyLoggerEventArgsEventHandler
00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6888:$x1: $%SMTPDV$ 0x526c:$x2: $#TheHashHere%& 0x6830:$x3: %FTPDV$ 0x520c:$x4: $%TelegramDv$ 0x2b67:$x5: KeyLoggerEventArgs 0x2efc:$x5: KeyLoggerEventArgs 0x6854:$m2: Clipboard Logs ID 0x6a92:$m2: Screenshot Logs ID 0x6ba2:$m2: keystroke Logs ID 0x6e7c:$m3: SnakePW 0x6a6a:$m4: \SnakeKeylogger\
00000011.00000002.4178395775.00000000035FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15529:$a1: get_encryptedPassword 0x35f49:$a1: get_encryptedPassword 0x56769:$a1: get_encryptedPassword 0x15815:$a2: get_encryptedUsername 0x36235:$a2: get_encryptedUsername 0x56a55:$a2: get_encryptedUsername 0x15335:$a3: get_timePasswordChanged 0x35d55:$a3: get_timePasswordChanged 0x56575:$a3: get_timePasswordChanged 0x15430:$a4: get_passwordField 0x35e50:$a4: get_passwordField 0x56670:$a4: get_passwordField 0x1553f:$a5: set_encryptedPassword 0x35f5f:$a5: set_encryptedPassword 0x5677f:$a5: set_encryptedPassword 0x16c09:$a7: get_logins 0x37629:$a7: get_logins 0x57e49:$a7: get_logins 0x16b6c:$a10: KeyLoggerEventArgs 0x3758c:$a10: KeyLoggerEventArgs 0x57dac:$a10: KeyLoggerEventArgs
0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a4f8:$x1: $%SMTPDV$ 0x3af18:$x1: $%SMTPDV$ 0x5b738:$x1: $%SMTPDV$ 0x18edc:$x2: $#TheHashHere%& 0x398fc:$x2: $#TheHashHere%& 0x5a11c:$x2: $#TheHashHere%& 0x1a4a0:$x3: %FTPDV$ 0x3aec0:$x3: %FTPDV$ 0x5b6e0:$x3: %FTPDV$ 0x18e7c:$x4: $%TelegramDv$ 0x3989c:$x4: $%TelegramDv$ 0x5a0bc:$x4: $%TelegramDv$ 0x167d7:$x5: KeyLoggerEventArgs 0x16b6c:$x5: KeyLoggerEventArgs 0x371f7:$x5: KeyLoggerEventArgs 0x3758c:$x5: KeyLoggerEventArgs 0x57a17:$x5: KeyLoggerEventArgs 0x57dac:$x5: KeyLoggerEventArgs 0x1a4c4:$m2: Clipboard Logs ID 0x1a702:$m2: Screenshot Logs ID 0x1a812:$m2: keystroke Logs ID
00000009.00000002.4178062543.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15889:$a1: get_encryptedPassword 0x362a9:$a1: get_encryptedPassword 0x56ac9:$a1: get_encryptedPassword 0x15b75:$a2: get_encryptedUsername 0x36595:$a2: get_encryptedUsername 0x56db5:$a2: get_encryptedUsername 0x15695:$a3: get_timePasswordChanged 0x360b5:$a3: get_timePasswordChanged 0x568d5:$a3: get_timePasswordChanged 0x15790:$a4: get_passwordField 0x361b0:$a4: get_passwordField 0x569d0:$a4: get_passwordField 0x1589f:$a5: set_encryptedPassword 0x362bf:$a5: set_encryptedPassword 0x56adf:$a5: set_encryptedPassword 0x16f69:$a7: get_logins 0x37989:$a7: get_logins 0x581a9:$a7: get_logins 0x16ecc:$a10: KeyLoggerEventArgs 0x378ec:$a10: KeyLoggerEventArgs 0x5810c:$a10: KeyLoggerEventArgs
00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a858:$x1: $%SMTPDV$ 0x3b278:$x1: $%SMTPDV$ 0x5ba98:$x1: $%SMTPDV$ 0x1923c:$x2: $#TheHashHere%& 0x39c5c:$x2: $#TheHashHere%& 0x5a47c:$x2: $#TheHashHere%& 0x1a800:$x3: %FTPDV$ 0x3b220:$x3: %FTPDV$ 0x5ba40:$x3: %FTPDV$ 0x191dc:$x4: $%TelegramDv$ 0x39bfc:$x4: $%TelegramDv$ 0x5a41c:$x4: $%TelegramDv$ 0x16b37:$x5: KeyLoggerEventArgs 0x16ecc:$x5: KeyLoggerEventArgs 0x37557:$x5: KeyLoggerEventArgs 0x378ec:$x5: KeyLoggerEventArgs 0x57d77:$x5: KeyLoggerEventArgs 0x5810c:$x5: KeyLoggerEventArgs 0x1a824:$m2: Clipboard Logs ID 0x1aa62:$m2: Screenshot Logs ID 0x1ab72:$m2: keystroke Logs ID
00000011.00000002.4178395775.0000000003431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5ef60:$a1: get_encryptedPassword 0x5f242:$a2: get_encryptedUsername 0x5ed76:$a3: get_timePasswordChanged 0x5ee71:$a4: get_passwordField 0x5ef76:$a5: set_encryptedPassword 0x61450:$a7: get_logins 0x613b3:$a10: KeyLoggerEventArgs 0x6101e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6101e:$x5: KeyLoggerEventArgs 0x613b3:$x5: KeyLoggerEventArgs 0x61cba:$x5: KeyLoggerEventArgs 0x6201b:$x5: KeyLoggerEventArgs 0x635de:$m2: Clipboard Logs ID 0x636e4:$m2: Screenshot Logs ID 0x6373a:$m2: keystroke Logs ID 0x6386f:$m3: SnakePW 0x636d0:$m4: \SnakeKeylogger\
Process Memory Space: BL NO - SNKO05B250100198.exe PID: 7448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BL NO - SNKO05B250100198.exe PID: 7448	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: suoEnXDEHePT.exe PID: 7520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: suoEnXDEHePT.exe PID: 7520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: suoEnXDEHePT.exe PID: 7520	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: suoEnXDEHePT.exe PID: 7520	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1757:$a1: get_encryptedPassword 0x1a39:$a2: get_encryptedUsername 0x156d:$a3: get_timePasswordChanged 0x1668:$a4: get_passwordField 0x176d:$a5: set_encryptedPassword 0x3c47:$a7: get_logins 0x3baa:$a10: KeyLoggerEventArgs 0x3815:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: suoEnXDEHePT.exe PID: 7520	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3815:$x5: KeyLoggerEventArgs 0x3baa:$x5: KeyLoggerEventArgs 0x44b1:$x5: KeyLoggerEventArgs 0x4812:$x5: KeyLoggerEventArgs 0x5dd5:$m2: Clipboard Logs ID 0x5edb:$m2: Screenshot Logs ID 0x5f31:$m2: keystroke Logs ID 0x6066:$m3: SnakePW 0x5ec7:$m4: \SnakeKeylogger\
Process Memory Space: suoEnXDEHePT.exe PID: 7776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: suoEnXDEHePT.exe PID: 7776	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: suoEnXDEHePT.exe PID: 7776	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10ea8:$a1: get_encryptedPassword 0x1118a:$a2: get_encryptedUsername 0x10cbe:$a3: get_timePasswordChanged 0x10db9:$a4: get_passwordField 0x10ebe:$a5: set_encryptedPassword 0x13398:$a7: get_logins 0x132fb:$a10: KeyLoggerEventArgs 0x12f66:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: suoEnXDEHePT.exe PID: 7776	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x12f66:$x5: KeyLoggerEventArgs 0x132fb:$x5: KeyLoggerEventArgs 0x13c02:$x5: KeyLoggerEventArgs 0x13f63:$x5: KeyLoggerEventArgs 0x15526:$m2: Clipboard Logs ID 0x1562c:$m2: Screenshot Logs ID 0x15682:$m2: keystroke Logs ID 0x157b7:$m3: SnakePW 0x15618:$m4: \SnakeKeylogger\
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cb9:$a1: get_encryptedPassword 0x12fa5:$a2: get_encryptedUsername 0x12ac5:$a3: get_timePasswordChanged 0x12bc0:$a4: get_passwordField 0x12ccf:$a5: set_encryptedPassword 0x14399:$a7: get_logins 0x142fc:$a10: KeyLoggerEventArgs 0x13f67:$a11: KeyLoggerEventArgsEventHandler
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a63e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19870:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ca3:$a4: \Orbitum\User Data\Default\Login Data 0x1ace2:$a5: \Kometa\User Data\Default\Login Data
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138ca:$s1: UnHook 0x138d1:$s2: SetHook 0x138d9:$s3: CallNextHook 0x138e6:$s4: _hook
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c88:$x1: $%SMTPDV$ 0x1666c:$x2: $#TheHashHere%& 0x17c30:$x3: %FTPDV$ 0x1660c:$x4: $%TelegramDv$ 0x13f67:$x5: KeyLoggerEventArgs 0x142fc:$x5: KeyLoggerEventArgs 0x17c54:$m2: Clipboard Logs ID 0x17e92:$m2: Screenshot Logs ID 0x17fa2:$m2: keystroke Logs ID 0x1827c:$m3: SnakePW 0x17e6a:$m4: \SnakeKeylogger\
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cb9:$a1: get_encryptedPassword 0x12fa5:$a2: get_encryptedUsername 0x12ac5:$a3: get_timePasswordChanged 0x12bc0:$a4: get_passwordField 0x12ccf:$a5: set_encryptedPassword 0x14399:$a7: get_logins 0x142fc:$a10: KeyLoggerEventArgs 0x13f67:$a11: KeyLoggerEventArgsEventHandler
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a63e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19870:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ca3:$a4: \Orbitum\User Data\Default\Login Data 0x1ace2:$a5: \Kometa\User Data\Default\Login Data
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138ca:$s1: UnHook 0x138d1:$s2: SetHook 0x138d9:$s3: CallNextHook 0x138e6:$s4: _hook
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c88:$x1: $%SMTPDV$ 0x1666c:$x2: $#TheHashHere%& 0x17c30:$x3: %FTPDV$ 0x1660c:$x4: $%TelegramDv$ 0x13f67:$x5: KeyLoggerEventArgs 0x142fc:$x5: KeyLoggerEventArgs 0x17c54:$m2: Clipboard Logs ID 0x17e92:$m2: Screenshot Logs ID 0x17fa2:$m2: keystroke Logs ID 0x1827c:$m3: SnakePW 0x17e6a:$m4: \SnakeKeylogger\
10.2.suoEnXDEHePT.exe.4462490.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.suoEnXDEHePT.exe.4462490.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.suoEnXDEHePT.exe.4462490.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cb9:$a1: get_encryptedPassword 0x12fa5:$a2: get_encryptedUsername 0x12ac5:$a3: get_timePasswordChanged 0x12bc0:$a4: get_passwordField 0x12ccf:$a5: set_encryptedPassword 0x14399:$a7: get_logins 0x142fc:$a10: KeyLoggerEventArgs 0x13f67:$a11: KeyLoggerEventArgsEventHandler
10.2.suoEnXDEHePT.exe.4462490.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a63e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19870:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ca3:$a4: \Orbitum\User Data\Default\Login Data 0x1ace2:$a5: \Kometa\User Data\Default\Login Data
10.2.suoEnXDEHePT.exe.4441a70.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.suoEnXDEHePT.exe.4441a70.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.suoEnXDEHePT.exe.4462490.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138ca:$s1: UnHook 0x138d1:$s2: SetHook 0x138d9:$s3: CallNextHook 0x138e6:$s4: _hook
10.2.suoEnXDEHePT.exe.4441a70.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cb9:$a1: get_encryptedPassword 0x12fa5:$a2: get_encryptedUsername 0x12ac5:$a3: get_timePasswordChanged 0x12bc0:$a4: get_passwordField 0x12ccf:$a5: set_encryptedPassword 0x14399:$a7: get_logins 0x142fc:$a10: KeyLoggerEventArgs 0x13f67:$a11: KeyLoggerEventArgsEventHandler
10.2.suoEnXDEHePT.exe.4462490.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c88:$x1: $%SMTPDV$ 0x1666c:$x2: $#TheHashHere%& 0x17c30:$x3: %FTPDV$ 0x1660c:$x4: $%TelegramDv$ 0x13f67:$x5: KeyLoggerEventArgs 0x142fc:$x5: KeyLoggerEventArgs 0x17c54:$m2: Clipboard Logs ID 0x17e92:$m2: Screenshot Logs ID 0x17fa2:$m2: keystroke Logs ID 0x1827c:$m3: SnakePW 0x17e6a:$m4: \SnakeKeylogger\
10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ab9:$a1: get_encryptedPassword 0x352d9:$a1: get_encryptedPassword 0x14da5:$a2: get_encryptedUsername 0x355c5:$a2: get_encryptedUsername 0x148c5:$a3: get_timePasswordChanged 0x350e5:$a3: get_timePasswordChanged 0x149c0:$a4: get_passwordField 0x351e0:$a4: get_passwordField 0x14acf:$a5: set_encryptedPassword 0x352ef:$a5: set_encryptedPassword 0x16199:$a7: get_logins 0x369b9:$a7: get_logins 0x160fc:$a10: KeyLoggerEventArgs 0x3691c:$a10: KeyLoggerEventArgs 0x15d67:$a11: KeyLoggerEventArgsEventHandler 0x36587:$a11: KeyLoggerEventArgsEventHandler
10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c43e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc5e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b670:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be90:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baa3:$a4: \Orbitum\User Data\Default\Login Data 0x3c2c3:$a4: \Orbitum\User Data\Default\Login Data 0x1cae2:$a5: \Kometa\User Data\Default\Login Data 0x3d302:$a5: \Kometa\User Data\Default\Login Data
10.2.suoEnXDEHePT.exe.4441a70.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a63e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19870:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ca3:$a4: \Orbitum\User Data\Default\Login Data 0x1ace2:$a5: \Kometa\User Data\Default\Login Data
10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ca:$s1: UnHook 0x35eea:$s1: UnHook 0x156d1:$s2: SetHook 0x35ef1:$s2: SetHook 0x156d9:$s3: CallNextHook 0x35ef9:$s3: CallNextHook 0x156e6:$s4: _hook 0x35f06:$s4: _hook
10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a88:$x1: $%SMTPDV$ 0x3a2a8:$x1: $%SMTPDV$ 0x1846c:$x2: $#TheHashHere%& 0x38c8c:$x2: $#TheHashHere%& 0x19a30:$x3: %FTPDV$ 0x3a250:$x3: %FTPDV$ 0x1840c:$x4: $%TelegramDv$ 0x38c2c:$x4: $%TelegramDv$ 0x15d67:$x5: KeyLoggerEventArgs 0x160fc:$x5: KeyLoggerEventArgs 0x36587:$x5: KeyLoggerEventArgs 0x3691c:$x5: KeyLoggerEventArgs 0x19a54:$m2: Clipboard Logs ID 0x19c92:$m2: Screenshot Logs ID 0x19da2:$m2: keystroke Logs ID 0x3a274:$m2: Clipboard Logs ID 0x3a4b2:$m2: Screenshot Logs ID 0x3a5c2:$m2: keystroke Logs ID 0x1a07c:$m3: SnakePW 0x3a89c:$m3: SnakePW 0x19c6a:$m4: \SnakeKeylogger\
10.2.suoEnXDEHePT.exe.4441a70.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138ca:$s1: UnHook 0x138d1:$s2: SetHook 0x138d9:$s3: CallNextHook 0x138e6:$s4: _hook
10.2.suoEnXDEHePT.exe.4441a70.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c88:$x1: $%SMTPDV$ 0x1666c:$x2: $#TheHashHere%& 0x17c30:$x3: %FTPDV$ 0x1660c:$x4: $%TelegramDv$ 0x13f67:$x5: KeyLoggerEventArgs 0x142fc:$x5: KeyLoggerEventArgs 0x17c54:$m2: Clipboard Logs ID 0x17e92:$m2: Screenshot Logs ID 0x17fa2:$m2: keystroke Logs ID 0x1827c:$m3: SnakePW 0x17e6a:$m4: \SnakeKeylogger\
10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ab9:$a1: get_encryptedPassword 0x354d9:$a1: get_encryptedPassword 0x55cf9:$a1: get_encryptedPassword 0x14da5:$a2: get_encryptedUsername 0x357c5:$a2: get_encryptedUsername 0x55fe5:$a2: get_encryptedUsername 0x148c5:$a3: get_timePasswordChanged 0x352e5:$a3: get_timePasswordChanged 0x55b05:$a3: get_timePasswordChanged 0x149c0:$a4: get_passwordField 0x353e0:$a4: get_passwordField 0x55c00:$a4: get_passwordField 0x14acf:$a5: set_encryptedPassword 0x354ef:$a5: set_encryptedPassword 0x55d0f:$a5: set_encryptedPassword 0x16199:$a7: get_logins 0x36bb9:$a7: get_logins 0x573d9:$a7: get_logins 0x160fc:$a10: KeyLoggerEventArgs 0x36b1c:$a10: KeyLoggerEventArgs 0x5733c:$a10: KeyLoggerEventArgs
10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c43e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce5e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d67e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b670:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c090:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c8b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baa3:$a4: \Orbitum\User Data\Default\Login Data 0x3c4c3:$a4: \Orbitum\User Data\Default\Login Data 0x5cce3:$a4: \Orbitum\User Data\Default\Login Data 0x1cae2:$a5: \Kometa\User Data\Default\Login Data 0x3d502:$a5: \Kometa\User Data\Default\Login Data 0x5dd22:$a5: \Kometa\User Data\Default\Login Data
10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ca:$s1: UnHook 0x360ea:$s1: UnHook 0x5690a:$s1: UnHook 0x156d1:$s2: SetHook 0x360f1:$s2: SetHook 0x56911:$s2: SetHook 0x156d9:$s3: CallNextHook 0x360f9:$s3: CallNextHook 0x56919:$s3: CallNextHook 0x156e6:$s4: _hook 0x36106:$s4: _hook 0x56926:$s4: _hook
10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a88:$x1: $%SMTPDV$ 0x3a4a8:$x1: $%SMTPDV$ 0x5acc8:$x1: $%SMTPDV$ 0x1846c:$x2: $#TheHashHere%& 0x38e8c:$x2: $#TheHashHere%& 0x596ac:$x2: $#TheHashHere%& 0x19a30:$x3: %FTPDV$ 0x3a450:$x3: %FTPDV$ 0x5ac70:$x3: %FTPDV$ 0x1840c:$x4: $%TelegramDv$ 0x38e2c:$x4: $%TelegramDv$ 0x5964c:$x4: $%TelegramDv$ 0x15d67:$x5: KeyLoggerEventArgs 0x160fc:$x5: KeyLoggerEventArgs 0x36787:$x5: KeyLoggerEventArgs 0x36b1c:$x5: KeyLoggerEventArgs 0x56fa7:$x5: KeyLoggerEventArgs 0x5733c:$x5: KeyLoggerEventArgs 0x19a54:$m2: Clipboard Logs ID 0x19c92:$m2: Screenshot Logs ID 0x19da2:$m2: keystroke Logs ID
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ab9:$a1: get_encryptedPassword 0x352d9:$a1: get_encryptedPassword 0x14da5:$a2: get_encryptedUsername 0x355c5:$a2: get_encryptedUsername 0x148c5:$a3: get_timePasswordChanged 0x350e5:$a3: get_timePasswordChanged 0x149c0:$a4: get_passwordField 0x351e0:$a4: get_passwordField 0x14acf:$a5: set_encryptedPassword 0x352ef:$a5: set_encryptedPassword 0x16199:$a7: get_logins 0x369b9:$a7: get_logins 0x160fc:$a10: KeyLoggerEventArgs 0x3691c:$a10: KeyLoggerEventArgs 0x15d67:$a11: KeyLoggerEventArgsEventHandler 0x36587:$a11: KeyLoggerEventArgsEventHandler
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ca:$s1: UnHook 0x35eea:$s1: UnHook 0x156d1:$s2: SetHook 0x35ef1:$s2: SetHook 0x156d9:$s3: CallNextHook 0x35ef9:$s3: CallNextHook 0x156e6:$s4: _hook 0x35f06:$s4: _hook
0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a88:$x1: $%SMTPDV$ 0x3a2a8:$x1: $%SMTPDV$ 0x1846c:$x2: $#TheHashHere%& 0x38c8c:$x2: $#TheHashHere%& 0x19a30:$x3: %FTPDV$ 0x3a250:$x3: %FTPDV$ 0x1840c:$x4: $%TelegramDv$ 0x38c2c:$x4: $%TelegramDv$ 0x15d67:$x5: KeyLoggerEventArgs 0x160fc:$x5: KeyLoggerEventArgs 0x36587:$x5: KeyLoggerEventArgs 0x3691c:$x5: KeyLoggerEventArgs 0x19a54:$m2: Clipboard Logs ID 0x19c92:$m2: Screenshot Logs ID 0x19da2:$m2: keystroke Logs ID 0x3a274:$m2: Clipboard Logs ID 0x3a4b2:$m2: Screenshot Logs ID 0x3a5c2:$m2: keystroke Logs ID 0x1a07c:$m3: SnakePW 0x3a89c:$m3: SnakePW 0x19c6a:$m4: \SnakeKeylogger\
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ab9:$a1: get_encryptedPassword 0x354d9:$a1: get_encryptedPassword 0x55cf9:$a1: get_encryptedPassword 0x14da5:$a2: get_encryptedUsername 0x357c5:$a2: get_encryptedUsername 0x55fe5:$a2: get_encryptedUsername 0x148c5:$a3: get_timePasswordChanged 0x352e5:$a3: get_timePasswordChanged 0x55b05:$a3: get_timePasswordChanged 0x149c0:$a4: get_passwordField 0x353e0:$a4: get_passwordField 0x55c00:$a4: get_passwordField 0x14acf:$a5: set_encryptedPassword 0x354ef:$a5: set_encryptedPassword 0x55d0f:$a5: set_encryptedPassword 0x16199:$a7: get_logins 0x36bb9:$a7: get_logins 0x573d9:$a7: get_logins 0x160fc:$a10: KeyLoggerEventArgs 0x36b1c:$a10: KeyLoggerEventArgs 0x5733c:$a10: KeyLoggerEventArgs
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ca:$s1: UnHook 0x360ea:$s1: UnHook 0x5690a:$s1: UnHook 0x156d1:$s2: SetHook 0x360f1:$s2: SetHook 0x56911:$s2: SetHook 0x156d9:$s3: CallNextHook 0x360f9:$s3: CallNextHook 0x56919:$s3: CallNextHook 0x156e6:$s4: _hook 0x36106:$s4: _hook 0x56926:$s4: _hook
0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a88:$x1: $%SMTPDV$ 0x3a4a8:$x1: $%SMTPDV$ 0x5acc8:$x1: $%SMTPDV$ 0x1846c:$x2: $#TheHashHere%& 0x38e8c:$x2: $#TheHashHere%& 0x596ac:$x2: $#TheHashHere%& 0x19a30:$x3: %FTPDV$ 0x3a450:$x3: %FTPDV$ 0x5ac70:$x3: %FTPDV$ 0x1840c:$x4: $%TelegramDv$ 0x38e2c:$x4: $%TelegramDv$ 0x5964c:$x4: $%TelegramDv$ 0x15d67:$x5: KeyLoggerEventArgs 0x160fc:$x5: KeyLoggerEventArgs 0x36787:$x5: KeyLoggerEventArgs 0x36b1c:$x5: KeyLoggerEventArgs 0x56fa7:$x5: KeyLoggerEventArgs 0x5733c:$x5: KeyLoggerEventArgs 0x19a54:$m2: Clipboard Logs ID 0x19c92:$m2: Screenshot Logs ID 0x19da2:$m2: keystroke Logs ID
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", ParentImage: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe, ParentProcessId: 2148, ParentProcessName: BL NO - SNKO05B250100198.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", ProcessId: 928, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe, ParentImage: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe, ParentProcessId: 7520, ParentProcessName: suoEnXDEHePT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", ProcessId: 7708, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", ParentImage: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe, ParentProcessId: 2148, ParentProcessName: BL NO - SNKO05B250100198.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp", ProcessId: 7244, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", ParentImage: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe, ParentProcessId: 2148, ParentProcessName: BL NO - SNKO05B250100198.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", ProcessId: 928, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe", ParentImage: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe, ParentProcessId: 2148, ParentProcessName: BL NO - SNKO05B250100198.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp", ProcessId: 7244, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T12:07:19.154501+0100	2803305	3	Unknown Traffic	192.168.2.4	49740	104.21.112.1	443	TCP
2025-03-06T12:07:22.614387+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	104.21.112.1	443	TCP
2025-03-06T12:07:24.805640+0100	2803305	3	Unknown Traffic	192.168.2.4	49747	104.21.112.1	443	TCP
2025-03-06T12:07:28.361331+0100	2803305	3	Unknown Traffic	192.168.2.4	49754	104.21.112.1	443	TCP
2025-03-06T12:07:31.406497+0100	2803305	3	Unknown Traffic	192.168.2.4	49758	104.21.112.1	443	TCP
2025-03-06T12:07:37.250246+0100	2803305	3	Unknown Traffic	192.168.2.4	49766	104.21.112.1	443	TCP
2025-03-06T12:07:40.153865+0100	2803305	3	Unknown Traffic	192.168.2.4	49768	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T12:07:14.485055+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	193.122.6.168	80	TCP
2025-03-06T12:07:16.942169+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	193.122.6.168	80	TCP
2025-03-06T12:07:17.688184+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	193.122.6.168	80	TCP
2025-03-06T12:07:19.861530+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49743	193.122.6.168	80	TCP
2025-03-06T12:07:20.516349+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	193.122.6.168	80	TCP
2025-03-06T12:07:22.656937+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49746	193.122.6.168	80	TCP
2025-03-06T12:07:23.328859+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	193.122.6.168	80	TCP
2025-03-06T12:07:25.500745+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49750	193.122.6.168	80	TCP
2025-03-06T12:07:26.172593+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49753	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7090278007:AAFHPCzmcS80DwGLKVdiQJ_jsHgHEuSn0QY/sendMessage?chat_id=5217421430", "Token": "7090278007:AAFHPCzmcS80DwGLKVdiQJ_jsHgHEuSn0QY", "Chat_id": "5217421430", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: BL NO - SNKO05B250100198.exe	Virustotal: Detection: 38%			Perma Link
Source: BL NO - SNKO05B250100198.exe	ReversingLabs: Detection: 42%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor:
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor: 7090278007:AAFHPCzmcS80DwGLKVdiQJ_jsHgHEuSn0QY
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor: 5217421430
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor:
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor: 7090278007:AAFHPCzmcS80DwGLKVdiQJ_jsHgHEuSn0QY
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor: 5217421430
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor:
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor: 7090278007:AAFHPCzmcS80DwGLKVdiQJ_jsHgHEuSn0QY
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack	String decryptor: 5217421430

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: BL NO - SNKO05B250100198.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: BL NO - SNKO05B250100198.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: olrc.pdbSHA256 source: BL NO - SNKO05B250100198.exe, suoEnXDEHePT.exe.0.dr
Source:	Binary string: olrc.pdb source: BL NO - SNKO05B250100198.exe, suoEnXDEHePT.exe.0.dr

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 0751CDCBh	0_2_0751D209
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 02F3F1F6h	9_2_02F3F007
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 02F3FB80h	9_2_02F3F007
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_02F3E528
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_02F3EB5B
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_02F3ED3C
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A28945h	9_2_05A28608
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A28459h	9_2_05A281B0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A25441h	9_2_05A25198
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A27BA9h	9_2_05A27900
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A20FF1h	9_2_05A20D48
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A28001h	9_2_05A27D58
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A27751h	9_2_05A274A8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A20741h	9_2_05A20498
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A20B99h	9_2_05A208F0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A202E9h	9_2_05A20040
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A272FAh	9_2_05A27050
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_05A233A8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_05A233B8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A26E79h	9_2_05A26BD0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A265C9h	9_2_05A26320
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A26A21h	9_2_05A26778
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A26171h	9_2_05A25EC8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_05A236CE
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A258C1h	9_2_05A25618
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 4x nop then jmp 05A25D19h	9_2_05A25A70
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 01AFF1F6h	17_2_01AFF007
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 01AFFB80h	17_2_01AFF007
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	17_2_01AFE528
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	17_2_01AFEB5B
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	17_2_01AFED3C
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07198945h	17_2_07198608
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07196A21h	17_2_07196778
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 071958C1h	17_2_07195618
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07196171h	17_2_07195EC8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	17_2_071936CE
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07198001h	17_2_07197D58
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07190FF1h	17_2_07190D48
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07190741h	17_2_07190498
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07197751h	17_2_071974A8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 071965C9h	17_2_07196320
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	17_2_071933B8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	17_2_071933A8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07196E79h	17_2_07196BD0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07195D19h	17_2_07195A70
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07197BA9h	17_2_07197900
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07195441h	17_2_07195198
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07198459h	17_2_071981B0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 071972FAh	17_2_07197050
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 071902E9h	17_2_07190040
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 4x nop then jmp 07190B99h	17_2_071908F0

Source: global traffic

TCP traffic: 192.168.2.4:63932 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49743 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49753 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49768 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa

Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003131000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.000000000303A000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003123000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003599000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035B4000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000358B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003131000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.000000000303A000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003103000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003123000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.000000000307D000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003599000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035B4000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000353B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000358B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4175960074.0000000001328000.00000004.00000020.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: suoEnXDEHePT.exe, 00000011.00000002.4182709013.0000000006D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft/
Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003131000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003052000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003123000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003599000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035B4000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000358B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1751281690.00000000029BF000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 0000000A.00000002.1785208185.000000000343F000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000000.00000002.1755065699.0000000005504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1755164909.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003131000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.000000000303A000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003123000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.000000000307D000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003599000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035B4000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000353B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000358B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.000000000303A000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003131000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.0000000003123000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.000000000307D000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.0000000003599000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035B4000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000353B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000358B000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.00000000035E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7776, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_0292E41C	0_2_0292E41C
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_04F20517	0_2_04F20517
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_04F20518	0_2_04F20518
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_0751EC50	0_2_0751EC50
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_07518620	0_2_07518620
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_075175E0	0_2_075175E0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_075192F0	0_2_075192F0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_075171A8	0_2_075171A8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_07516D70	0_2_07516D70
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_07516D3D	0_2_07516D3D
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_07567CDB	0_2_07567CDB
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_07567CE0	0_2_07567CE0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 0_2_0756A088	0_2_0756A088
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3B328	9_2_02F3B328
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3F007	9_2_02F3F007
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3C190	9_2_02F3C190
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F36108	9_2_02F36108
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3C752	9_2_02F3C752
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3C470	9_2_02F3C470
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F34AD9	9_2_02F34AD9
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3CA32	9_2_02F3CA32
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3BBD2	9_2_02F3BBD2
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F36880	9_2_02F36880
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F39858	9_2_02F39858
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3BEB0	9_2_02F3BEB0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3B4F2	9_2_02F3B4F2
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F33572	9_2_02F33572
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3E528	9_2_02F3E528
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_02F3E517	9_2_02F3E517
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2C9D8	9_2_05A2C9D8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2BD38	9_2_05A2BD38
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2B0A0	9_2_05A2B0A0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2D028	9_2_05A2D028
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2A408	9_2_05A2A408
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2C388	9_2_05A2C388
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A28B58	9_2_05A28B58
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2B6E8	9_2_05A2B6E8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A28608	9_2_05A28608
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2D670	9_2_05A2D670
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2AA58	9_2_05A2AA58
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A211A0	9_2_05A211A0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A281A0	9_2_05A281A0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A281B0	9_2_05A281B0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2518A	9_2_05A2518A
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A21191	9_2_05A21191
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A25198	9_2_05A25198
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A285FC	9_2_05A285FC
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2C9C8	9_2_05A2C9C8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2BD28	9_2_05A2BD28
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A20D39	9_2_05A20D39
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A27900	9_2_05A27900
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A20D48	9_2_05A20D48
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A27D48	9_2_05A27D48
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A27D58	9_2_05A27D58
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A274A8	9_2_05A274A8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A228B0	9_2_05A228B0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A20488	9_2_05A20488
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2B08F	9_2_05A2B08F
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A27497	9_2_05A27497
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A20498	9_2_05A20498
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A208E0	9_2_05A208E0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A208F0	9_2_05A208F0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A278F0	9_2_05A278F0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A24430	9_2_05A24430
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A20007	9_2_05A20007
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A22807	9_2_05A22807
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A22809	9_2_05A22809
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2D018	9_2_05A2D018
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A20040	9_2_05A20040
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A27040	9_2_05A27040
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A27050	9_2_05A27050
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A233A8	9_2_05A233A8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A233B8	9_2_05A233B8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2A3F8	9_2_05A2A3F8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A26BC1	9_2_05A26BC1
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A26BD0	9_2_05A26BD0
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A26320	9_2_05A26320
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A23730	9_2_05A23730
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A26312	9_2_05A26312
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A26772	9_2_05A26772
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A26778	9_2_05A26778
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2C378	9_2_05A2C378
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A25EB8	9_2_05A25EB8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A25EC8	9_2_05A25EC8
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2B6D9	9_2_05A2B6D9
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2560A	9_2_05A2560A
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A25618	9_2_05A25618
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2D662	9_2_05A2D662
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A25A60	9_2_05A25A60
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A25A70	9_2_05A25A70
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Code function: 9_2_05A2AA48	9_2_05A2AA48
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 10_2_0320E41C	10_2_0320E41C
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFC190	17_2_01AFC190
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AF6108	17_2_01AF6108
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFF007	17_2_01AFF007
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFB4A0	17_2_01AFB4A0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFC470	17_2_01AFC470
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFC753	17_2_01AFC753
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AF6880	17_2_01AF6880
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AF9858	17_2_01AF9858
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFBBD3	17_2_01AFBBD3
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AF4AD9	17_2_01AF4AD9
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFCA33	17_2_01AFCA33
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFBEB0	17_2_01AFBEB0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFE528	17_2_01AFE528
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AFE517	17_2_01AFE517
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_01AF3573	17_2_01AF3573
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07198608	17_2_07198608
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719D670	17_2_0719D670
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719B6E8	17_2_0719B6E8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719BD38	17_2_0719BD38
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719A408	17_2_0719A408
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07198C51	17_2_07198C51
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719C388	17_2_0719C388
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719AA58	17_2_0719AA58
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071911A0	17_2_071911A0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719C9D8	17_2_0719C9D8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719D028	17_2_0719D028
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719B0A0	17_2_0719B0A0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07193730	17_2_07193730
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07196778	17_2_07196778
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719676A	17_2_0719676A
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07195618	17_2_07195618
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07195609	17_2_07195609
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719D662	17_2_0719D662
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07195EB8	17_2_07195EB8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719B6D9	17_2_0719B6D9
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07195EC8	17_2_07195EC8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07190D39	17_2_07190D39
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719BD28	17_2_0719BD28
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07197D58	17_2_07197D58
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07190D48	17_2_07190D48
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07197D48	17_2_07197D48
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071985FC	17_2_071985FC
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07194430	17_2_07194430
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07190498	17_2_07190498
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07197497	17_2_07197497
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07190488	17_2_07190488
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071974A8	17_2_071974A8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07196310	17_2_07196310
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07196320	17_2_07196320
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719C378	17_2_0719C378
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071933B8	17_2_071933B8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071933A8	17_2_071933A8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07196BD0	17_2_07196BD0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07196BC1	17_2_07196BC1
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719A3F8	17_2_0719A3F8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719AA48	17_2_0719AA48
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07195A70	17_2_07195A70
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07195A60	17_2_07195A60
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07197900	17_2_07197900
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07195198	17_2_07195198
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07191191	17_2_07191191
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719518A	17_2_0719518A
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071981B0	17_2_071981B0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071981A0	17_2_071981A0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719C9C8	17_2_0719C9C8
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07192818	17_2_07192818
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719D018	17_2_0719D018
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07190007	17_2_07190007
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07192807	17_2_07192807
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07197050	17_2_07197050
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07190040	17_2_07190040
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_07197040	17_2_07197040
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_0719B08F	17_2_0719B08F
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071908F0	17_2_071908F0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071978F0	17_2_071978F0
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Code function: 17_2_071908E0	17_2_071908E0

Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1756159293.0000000007070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1751281690.0000000002A15000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1749869626.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000000.1699645970.0000000000690000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameolrc.exeH vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1756910229.0000000007420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1756367448.0000000007119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1751281690.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1751281690.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4175432635.0000000000D97000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BL NO - SNKO05B250100198.exe
Source: BL NO - SNKO05B250100198.exe	Binary or memory string: OriginalFilenameolrc.exeH vs BL NO - SNKO05B250100198.exe

Source: BL NO - SNKO05B250100198.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: suoEnXDEHePT.exe PID: 7776, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: BL NO - SNKO05B250100198.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: suoEnXDEHePT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, HAglvi8gmwwKNrCrEH.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, HAglvi8gmwwKNrCrEH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, HAglvi8gmwwKNrCrEH.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, PVlyP4XP7w0j05AcrK.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, PVlyP4XP7w0j05AcrK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, HAglvi8gmwwKNrCrEH.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, HAglvi8gmwwKNrCrEH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, HAglvi8gmwwKNrCrEH.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, PVlyP4XP7w0j05AcrK.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, PVlyP4XP7w0j05AcrK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/15@4/2

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

File created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Mutant created: \Sessions\1\BaseNamedObjects\fSTveorHONhnDQOPG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp

Jump to behavior

Source: BL NO - SNKO05B250100198.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BL NO - SNKO05B250100198.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000031CD000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, BL NO - SNKO05B250100198.exe, 00000009.00000002.4178062543.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000366D000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000367D000.00000004.00000800.00020000.00000000.sdmp, suoEnXDEHePT.exe, 00000011.00000002.4178395775.000000000368B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: BL NO - SNKO05B250100198.exe	Virustotal: Detection: 38%
Source: BL NO - SNKO05B250100198.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

File read: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BL NO - SNKO05B250100198.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BL NO - SNKO05B250100198.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BL NO - SNKO05B250100198.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: olrc.pdbSHA256 source: BL NO - SNKO05B250100198.exe, suoEnXDEHePT.exe.0.dr
Source:	Binary string: olrc.pdb source: BL NO - SNKO05B250100198.exe, suoEnXDEHePT.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, HAglvi8gmwwKNrCrEH.cs	.Net Code: eBgin2vkbF System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, HAglvi8gmwwKNrCrEH.cs	.Net Code: eBgin2vkbF System.Reflection.Assembly.Load(byte[])

Source: BL NO - SNKO05B250100198.exe

Static PE information: 0xE95BA2C1 [Sat Jan 23 14:52:49 2094 UTC]

Source: BL NO - SNKO05B250100198.exe	Static PE information: section name: .text entropy: 7.760817371537136
Source: suoEnXDEHePT.exe.0.dr	Static PE information: section name: .text entropy: 7.760817371537136

Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, mlllOhoidFBh6loUUVD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yfKfdD0lRG', 'liXf1BXyJn', 'tjAfASkugY', 't52ff6dLEZ', 'yoCfvpsHp0', 'UVffwPCPNk', 'slwfLtbcDe'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, hJyAVWooPeadliR5Sav.cs	High entropy of concatenated method names: 'cGx1Nk3abQ', 'd9F1zBTvpe', 't4mAmEsuGX', 'tD8Ao0kiqc', 'cy6A4TR2yg', 'TX4ACJHLlG', 'nNbAi75TrN', 'vNXAY0G69L', 'Hc8ARxbdVg', 'JWmAlecXXO'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, CVR7ePl8NWk5Aj5sFk.cs	High entropy of concatenated method names: 'Dispose', 'qD5oamKFN9', 'Us54gO74wJ', 'nocs0ounLo', 'WguoNYZ83H', 'hPOozVLYIw', 'ProcessDialogKey', 'xps4mfMiuK', 'fWT4oFcB7Q', 'WLy44QCHWl'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, DPXOgRBCHt2i2Z3PfC.cs	High entropy of concatenated method names: 'Fc0ESyXQ1F', 'Gd9EIO1nxU', 'rFJrTgNjLv', 'fYUrhhyU1r', 'lCnryZJjlJ', 'VolrQo4PIS', 'fxqrDv1aDe', 'hw1rZVnsNi', 'mgUrUmLANt', 'x0truW1RdB'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, KCHWlKNShe698bnHvp.cs	High entropy of concatenated method names: 'sag1rLR7XE', 'zSp1EUlJbH', 'luj1Vqdiuv', 'uj21MwZbnX', 'vaG1du5ko6', 'bX718ZRmAJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, XvQvNDomFOMDnMuVYYs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iks1qXj3aP', 'g6v1tB59Pq', 'kJS1pdC5Lf', 'Q7N1O6HO2T', 'QRl1ju20vM', 'Mj61FVbr2d', 'XUa1bvLTbO'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, HAglvi8gmwwKNrCrEH.cs	High entropy of concatenated method names: 'T9vCYQL6Qn', 'b0jCRDsDfE', 'AgLClWvGC1', 'z2jCrgNKFN', 'xmvCEAcpYb', 'y37CVEBwW2', 'H2CCMR8MA4', 'sc5C8lPWy9', 'nrWCkjReTV', 'HfKCKsJRCU'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, OQiFQb4tK3ayX5aWEY.cs	High entropy of concatenated method names: 'eTrnOvr9L', 'NTZcH12Bb', 'wOveeevSi', 'f21IZnWP4', 'DiO6vUF0d', 'CFwBFsRCv', 'Yf9A7bgoRy1Vto4R4Z', 'fv0vPeo0nV1nsdR5gi', 'pQ3Hgo8Rn', 'WBX11bTnw'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, hJAJV164WQYMakZWGQ.cs	High entropy of concatenated method names: 'uALrcLdMep', 'DB0reoJIFm', 'aBurXQIjhh', 'Y5Fr6qxT9h', 'q1mr966tid', 'hftr5grM9e', 'wSVr3ad3ks', 'rBtrHcXrgM', 'WRnrdJAiTK', 'hofr13Fke6'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, xYJsNIFpWWN6vCleoA.cs	High entropy of concatenated method names: 'ToString', 'P3f5qqYO9K', 'xHB5g01yTi', 'EPE5TIxrWu', 'feq5h8lBMr', 'CG65ynu2sh', 'Frb5QRCsww', 'U6d5DlTI9I', 'c1Y5ZXkLvv', 'rgj5UNtcPl'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, IX9WdEpqSeolEG7Gil.cs	High entropy of concatenated method names: 'BeGPXRCV1X', 'MJAP6HtG8U', 'fjtPG3UngX', 'Jv5PgPbD6O', 'pSDPhf2WIw', 'tVcPyOywkN', 'yf1PD1jHOf', 'ekrPZcWxkX', 'N8WPuD44ci', 'saOPqBJVqx'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, mFqhXBDlERBQqiYTNA.cs	High entropy of concatenated method names: 'DMCMRM1wvb', 'sqfMroX0hT', 'xa7MVs1pdb', 'ghjVNVr4OH', 'oU6VzJAay1', 'wAlMmC9003', 'iAZMoSFJsV', 'HRkM4RF4gN', 'xdDMCj8wVb', 'jJQMi0Jx29'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, KjU1edzhWuMcWU6hbB.cs	High entropy of concatenated method names: 'ddS1eXIkM4', 'aAc1X7TQ9U', 'qKu16gAHZB', 'jpG1GLmkIC', 'VCl1ga7Wsw', 'rud1hhmYUN', 'DMv1yPv9HJ', 'mCU1LQ6L2P', 'Gir1JJlFel', 'QYq1xU2FjF'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, UfMiuKaRWTFcB7Q2Ly.cs	High entropy of concatenated method names: 'oYjdGnea3f', 'rQ7dgH9C8p', 'uCxdTIL5VP', 'M7CdhJ707M', 'fxFdyCa2We', 'JoidQNTAlw', 'u04dDBqMm3', 'oFddZ8N6rO', 'hGxdUU71iL', 'oX8duWb5v2'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, xXBbKhUxkpY4OvIxt4.cs	High entropy of concatenated method names: 'X4gMJv5pJm', 'hI6MxPaCap', 'ahOMnT2ZgJ', 'cs6McE0ydp', 'LXNMS8Z6uF', 'B3KMeEOlTa', 'YR1MI7Myx9', 'XUDMXxNZ0a', 'D22M6GJDO1', 'FLuMBGA8j7'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, PVlyP4XP7w0j05AcrK.cs	High entropy of concatenated method names: 'HQmlOIWLNM', 'zFHljAAVYq', 'PchlF2MDNC', 'Na9lboj9yv', 'T70ls5o2Vi', 'kIbl0KRkGj', 'YESl7Gdrek', 'WNul2HOEmY', 'jKNlaT0R9h', 'gqMlNp6YW0'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, fMtuyy0jUS2h7AhnES.cs	High entropy of concatenated method names: 'CUf328BFw3', 'eWQ3NGXhAc', 'xjKHmcDACB', 'iKtHo3iRDX', 'iiK3qchwM9', 'IYQ3tc2vG1', 'LDL3pluxcF', 'GKA3Oan0IA', 'TNs3jZrboQ', 'PIq3FAEM86'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, GenJThGr1ZnP1aE8H0.cs	High entropy of concatenated method names: 'O7TVYmsOHX', 'mtrVlfxtr5', 'ItKVEfCl8D', 'qAvVMFOgwu', 'VkPV8i2Vqj', 'znkEsCWGV5', 'pZAE0ulALC', 'xpKE7FPSsE', 'h1GE2u6vp9', 'NAfEa07ffY'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, F7wiQfbZxwUwR5t5iM.cs	High entropy of concatenated method names: 'Gp83KGajOE', 't6g3Wehwuw', 'ToString', 'PuF3RE5Xmd', 'bhc3ldLClf', 'ONy3rHiIrL', 'zwV3EapjbP', 'V3E3VtHxRh', 'WHp3M6JHqx', 'USQ38D3SOw'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, fjZdppO9M9OhVMvGRL.cs	High entropy of concatenated method names: 'gUV9uUlOlH', 'rK69t4LOg9', 'Cmp9OAbX9s', 'fbC9jkSc1h', 'C119gDel8I', 'vqb9TMqx8f', 'P1H9hfKeSr', 'beG9yFAQqS', 'Mn69Qxmn6s', 'J3s9D0eFcZ'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, YYUQSn7Hr3D5mKFN97.cs	High entropy of concatenated method names: 'hWBd9GD0tU', 'ntXd3fs2Vq', 'hpDddHwgqV', 'MZ7dA0hUm8', 'lH5dvNTq8X', 'Db1dL5lr8I', 'Dispose', 'gNHHR6HEiy', 'BbXHlTD6cN', 'hFIHrKWLwk'
Source: 0.2.BL NO - SNKO05B250100198.exe.3b05af0.3.raw.unpack, UWb4XUinX3UcauclFN.cs	High entropy of concatenated method names: 'pDtoMVlyP4', 'n7wo80j05A', 't4WoKQYMak', 'LWGoWQXPXO', 'L3Po9fCgen', 'yTho5r1ZnP', 'fw7jFTqs8eqYPcwWMx', 'M8g7HSJLKgoIiNRU8V', 'UyYooyIFUg', 'ybRoC5ES1i'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, mlllOhoidFBh6loUUVD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yfKfdD0lRG', 'liXf1BXyJn', 'tjAfASkugY', 't52ff6dLEZ', 'yoCfvpsHp0', 'UVffwPCPNk', 'slwfLtbcDe'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, hJyAVWooPeadliR5Sav.cs	High entropy of concatenated method names: 'cGx1Nk3abQ', 'd9F1zBTvpe', 't4mAmEsuGX', 'tD8Ao0kiqc', 'cy6A4TR2yg', 'TX4ACJHLlG', 'nNbAi75TrN', 'vNXAY0G69L', 'Hc8ARxbdVg', 'JWmAlecXXO'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, CVR7ePl8NWk5Aj5sFk.cs	High entropy of concatenated method names: 'Dispose', 'qD5oamKFN9', 'Us54gO74wJ', 'nocs0ounLo', 'WguoNYZ83H', 'hPOozVLYIw', 'ProcessDialogKey', 'xps4mfMiuK', 'fWT4oFcB7Q', 'WLy44QCHWl'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, DPXOgRBCHt2i2Z3PfC.cs	High entropy of concatenated method names: 'Fc0ESyXQ1F', 'Gd9EIO1nxU', 'rFJrTgNjLv', 'fYUrhhyU1r', 'lCnryZJjlJ', 'VolrQo4PIS', 'fxqrDv1aDe', 'hw1rZVnsNi', 'mgUrUmLANt', 'x0truW1RdB'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, KCHWlKNShe698bnHvp.cs	High entropy of concatenated method names: 'sag1rLR7XE', 'zSp1EUlJbH', 'luj1Vqdiuv', 'uj21MwZbnX', 'vaG1du5ko6', 'bX718ZRmAJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, XvQvNDomFOMDnMuVYYs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iks1qXj3aP', 'g6v1tB59Pq', 'kJS1pdC5Lf', 'Q7N1O6HO2T', 'QRl1ju20vM', 'Mj61FVbr2d', 'XUa1bvLTbO'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, HAglvi8gmwwKNrCrEH.cs	High entropy of concatenated method names: 'T9vCYQL6Qn', 'b0jCRDsDfE', 'AgLClWvGC1', 'z2jCrgNKFN', 'xmvCEAcpYb', 'y37CVEBwW2', 'H2CCMR8MA4', 'sc5C8lPWy9', 'nrWCkjReTV', 'HfKCKsJRCU'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, OQiFQb4tK3ayX5aWEY.cs	High entropy of concatenated method names: 'eTrnOvr9L', 'NTZcH12Bb', 'wOveeevSi', 'f21IZnWP4', 'DiO6vUF0d', 'CFwBFsRCv', 'Yf9A7bgoRy1Vto4R4Z', 'fv0vPeo0nV1nsdR5gi', 'pQ3Hgo8Rn', 'WBX11bTnw'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, hJAJV164WQYMakZWGQ.cs	High entropy of concatenated method names: 'uALrcLdMep', 'DB0reoJIFm', 'aBurXQIjhh', 'Y5Fr6qxT9h', 'q1mr966tid', 'hftr5grM9e', 'wSVr3ad3ks', 'rBtrHcXrgM', 'WRnrdJAiTK', 'hofr13Fke6'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, xYJsNIFpWWN6vCleoA.cs	High entropy of concatenated method names: 'ToString', 'P3f5qqYO9K', 'xHB5g01yTi', 'EPE5TIxrWu', 'feq5h8lBMr', 'CG65ynu2sh', 'Frb5QRCsww', 'U6d5DlTI9I', 'c1Y5ZXkLvv', 'rgj5UNtcPl'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, IX9WdEpqSeolEG7Gil.cs	High entropy of concatenated method names: 'BeGPXRCV1X', 'MJAP6HtG8U', 'fjtPG3UngX', 'Jv5PgPbD6O', 'pSDPhf2WIw', 'tVcPyOywkN', 'yf1PD1jHOf', 'ekrPZcWxkX', 'N8WPuD44ci', 'saOPqBJVqx'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, mFqhXBDlERBQqiYTNA.cs	High entropy of concatenated method names: 'DMCMRM1wvb', 'sqfMroX0hT', 'xa7MVs1pdb', 'ghjVNVr4OH', 'oU6VzJAay1', 'wAlMmC9003', 'iAZMoSFJsV', 'HRkM4RF4gN', 'xdDMCj8wVb', 'jJQMi0Jx29'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, KjU1edzhWuMcWU6hbB.cs	High entropy of concatenated method names: 'ddS1eXIkM4', 'aAc1X7TQ9U', 'qKu16gAHZB', 'jpG1GLmkIC', 'VCl1ga7Wsw', 'rud1hhmYUN', 'DMv1yPv9HJ', 'mCU1LQ6L2P', 'Gir1JJlFel', 'QYq1xU2FjF'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, UfMiuKaRWTFcB7Q2Ly.cs	High entropy of concatenated method names: 'oYjdGnea3f', 'rQ7dgH9C8p', 'uCxdTIL5VP', 'M7CdhJ707M', 'fxFdyCa2We', 'JoidQNTAlw', 'u04dDBqMm3', 'oFddZ8N6rO', 'hGxdUU71iL', 'oX8duWb5v2'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, xXBbKhUxkpY4OvIxt4.cs	High entropy of concatenated method names: 'X4gMJv5pJm', 'hI6MxPaCap', 'ahOMnT2ZgJ', 'cs6McE0ydp', 'LXNMS8Z6uF', 'B3KMeEOlTa', 'YR1MI7Myx9', 'XUDMXxNZ0a', 'D22M6GJDO1', 'FLuMBGA8j7'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, PVlyP4XP7w0j05AcrK.cs	High entropy of concatenated method names: 'HQmlOIWLNM', 'zFHljAAVYq', 'PchlF2MDNC', 'Na9lboj9yv', 'T70ls5o2Vi', 'kIbl0KRkGj', 'YESl7Gdrek', 'WNul2HOEmY', 'jKNlaT0R9h', 'gqMlNp6YW0'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, fMtuyy0jUS2h7AhnES.cs	High entropy of concatenated method names: 'CUf328BFw3', 'eWQ3NGXhAc', 'xjKHmcDACB', 'iKtHo3iRDX', 'iiK3qchwM9', 'IYQ3tc2vG1', 'LDL3pluxcF', 'GKA3Oan0IA', 'TNs3jZrboQ', 'PIq3FAEM86'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, GenJThGr1ZnP1aE8H0.cs	High entropy of concatenated method names: 'O7TVYmsOHX', 'mtrVlfxtr5', 'ItKVEfCl8D', 'qAvVMFOgwu', 'VkPV8i2Vqj', 'znkEsCWGV5', 'pZAE0ulALC', 'xpKE7FPSsE', 'h1GE2u6vp9', 'NAfEa07ffY'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, F7wiQfbZxwUwR5t5iM.cs	High entropy of concatenated method names: 'Gp83KGajOE', 't6g3Wehwuw', 'ToString', 'PuF3RE5Xmd', 'bhc3ldLClf', 'ONy3rHiIrL', 'zwV3EapjbP', 'V3E3VtHxRh', 'WHp3M6JHqx', 'USQ38D3SOw'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, fjZdppO9M9OhVMvGRL.cs	High entropy of concatenated method names: 'gUV9uUlOlH', 'rK69t4LOg9', 'Cmp9OAbX9s', 'fbC9jkSc1h', 'C119gDel8I', 'vqb9TMqx8f', 'P1H9hfKeSr', 'beG9yFAQqS', 'Mn69Qxmn6s', 'J3s9D0eFcZ'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, YYUQSn7Hr3D5mKFN97.cs	High entropy of concatenated method names: 'hWBd9GD0tU', 'ntXd3fs2Vq', 'hpDddHwgqV', 'MZ7dA0hUm8', 'lH5dvNTq8X', 'Db1dL5lr8I', 'Dispose', 'gNHHR6HEiy', 'BbXHlTD6cN', 'hFIHrKWLwk'
Source: 0.2.BL NO - SNKO05B250100198.exe.7420000.7.raw.unpack, UWb4XUinX3UcauclFN.cs	High entropy of concatenated method names: 'pDtoMVlyP4', 'n7wo80j05A', 't4WoKQYMak', 'LWGoWQXPXO', 'L3Po9fCgen', 'yTho5r1ZnP', 'fw7jFTqs8eqYPcwWMx', 'M8g7HSJLKgoIiNRU8V', 'UyYooyIFUg', 'ybRoC5ES1i'

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

File created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 4950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 8D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 9D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 9F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: AF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 1840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 9180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: A180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: B180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 1A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 3430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Memory allocated: 1A10000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599396	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598941	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596998	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599235
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598985
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598860
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598493
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598266
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598141
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597794
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596426
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596306
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596063
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595813
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595688
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595469
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594362
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594235

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6537	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7989	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 757	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Window / User API: threadDelayed 7513	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Window / User API: threadDelayed 2322	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Window / User API: threadDelayed 1394
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Window / User API: threadDelayed 8441

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 6036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep count: 6537 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep count: 195 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7840	Thread sleep count: 7513 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7840	Thread sleep count: 2322 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -599396s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598941s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe TID: 7836	Thread sleep time: -594047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7912	Thread sleep count: 1394 > 30
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7912	Thread sleep count: 8441 > 30
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599563s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599235s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -599110s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598985s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598860s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598735s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598610s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598493s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598375s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598266s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598141s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -598016s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597794s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597688s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597563s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597438s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597219s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -597094s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596875s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596766s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596426s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596306s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596188s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -596063s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595938s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595813s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595688s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595578s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595469s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595344s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -594362s >= -30000s
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe TID: 7908	Thread sleep time: -594235s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599396	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598941	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596998	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599235
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598985
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598860
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598493
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598266
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598141
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597794
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596426
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596306
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 596063
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595813
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595688
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595469
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594362
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Thread delayed: delay time: 594235

Source: suoEnXDEHePT.exe, 00000011.00000002.4175806177.0000000001606000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: BL NO - SNKO05B250100198.exe, 00000000.00000002.1749869626.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\<
Source: BL NO - SNKO05B250100198.exe, 00000009.00000002.4175960074.0000000001328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Memory written: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp2C9B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Process created: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe "C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\suoEnXDEHePT" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Process created: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe "C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4178062543.000000000313F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4178395775.00000000035FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4178062543.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4178395775.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: suoEnXDEHePT.exe PID: 7776, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\BL NO - SNKO05B250100198.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\suoEnXDEHePT.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: suoEnXDEHePT.exe PID: 7776, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4462490.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4441a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4462490.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.suoEnXDEHePT.exe.4441a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39e17f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NO - SNKO05B250100198.exe.39c0dd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4178062543.000000000313F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4175052349.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4178395775.00000000035FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1787640714.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4178062543.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752358057.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4178395775.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BL NO - SNKO05B250100198.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: suoEnXDEHePT.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: suoEnXDEHePT.exe PID: 7776, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BL NO - SNKO05B250100198.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
BL NO - SNKO05B250100198.exe