Edit tour

Windows Analysis Report
mCqTwcbnfm.exe

Overview

General Information

Sample name:	mCqTwcbnfm.exe renamed because original name is a hash value
Original sample name:	270d25fa4c48a659c108da5452b8b90ea07f0473ee4dcaeb66889eb0e2443c99.exe
Analysis ID:	1632424
MD5:	00e8957d98a3a103e315a16751bbab0f
SHA1:	edc58a709f451f598e2189baa579e40b02437c12
SHA256:	270d25fa4c48a659c108da5452b8b90ea07f0473ee4dcaeb66889eb0e2443c99
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mCqTwcbnfm.exe (PID: 4160 cmdline: "C:\Users\user\Desktop\mCqTwcbnfm.exe" MD5: 00E8957D98A3A103E315A16751BBAB0F)

powershell.exe (PID: 2648 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7244 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4732 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mCqTwcbnfm.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\mCqTwcbnfm.exe" MD5: 00E8957D98A3A103E315A16751BBAB0F)

jFvxxbujkwUz.exe (PID: 7196 cmdline: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe MD5: 00E8957D98A3A103E315A16751BBAB0F)

schtasks.exe (PID: 7332 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jFvxxbujkwUz.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe" MD5: 00E8957D98A3A103E315A16751BBAB0F)

jFvxxbujkwUz.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe" MD5: 00E8957D98A3A103E315A16751BBAB0F)

svchost.exe (PID: 7624 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Server": "fiber13.dnsiaas.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2099301772.0000000000410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1bf:$a1: get_encryptedPassword 0x25ddf:$a1: get_encryptedPassword 0xf4e7:$a2: get_encryptedUsername 0x26107:$a2: get_encryptedUsername 0xef5a:$a3: get_timePasswordChanged 0x25b7a:$a3: get_timePasswordChanged 0xf07b:$a4: get_passwordField 0x25c9b:$a4: get_passwordField 0xf1d5:$a5: set_encryptedPassword 0x25df5:$a5: set_encryptedPassword 0x10b31:$a7: get_logins 0x27751:$a7: get_logins 0x107e2:$a8: GetOutlookPasswords 0x27402:$a8: GetOutlookPasswords 0x105d4:$a9: StartKeylogger 0x271f4:$a9: StartKeylogger 0x10a81:$a10: KeyLoggerEventArgs 0x276a1:$a10: KeyLoggerEventArgs 0x10631:$a11: KeyLoggerEventArgsEventHandler 0x27251:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.2102239325.00000000034D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2101920585.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10057:$a1: get_encryptedPassword 0x26c77:$a1: get_encryptedPassword 0x1037f:$a2: get_encryptedUsername 0x26f9f:$a2: get_encryptedUsername 0xfdf2:$a3: get_timePasswordChanged 0x26a12:$a3: get_timePasswordChanged 0xff13:$a4: get_passwordField 0x26b33:$a4: get_passwordField 0x1006d:$a5: set_encryptedPassword 0x26c8d:$a5: set_encryptedPassword 0x119c9:$a7: get_logins 0x285e9:$a7: get_logins 0x1167a:$a8: GetOutlookPasswords 0x2829a:$a8: GetOutlookPasswords 0x1146c:$a9: StartKeylogger 0x2808c:$a9: StartKeylogger 0x11919:$a10: KeyLoggerEventArgs 0x28539:$a10: KeyLoggerEventArgs 0x114c9:$a11: KeyLoggerEventArgsEventHandler 0x280e9:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf6cf:$a1: get_encryptedPassword 0xf9f7:$a2: get_encryptedUsername 0xf46a:$a3: get_timePasswordChanged 0xf58b:$a4: get_passwordField 0xf6e5:$a5: set_encryptedPassword 0x11041:$a7: get_logins 0x10cf2:$a8: GetOutlookPasswords 0x10ae4:$a9: StartKeylogger 0x10f91:$a10: KeyLoggerEventArgs 0x10b41:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 4160	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 4160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 4160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 4160	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 4160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 4160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x54b81:$a1: get_encryptedPassword 0x86a03:$a1: get_encryptedPassword 0x54e9a:$a2: get_encryptedUsername 0x86d1c:$a2: get_encryptedUsername 0x54930:$a3: get_timePasswordChanged 0x867b2:$a3: get_timePasswordChanged 0x54a51:$a4: get_passwordField 0x868d3:$a4: get_passwordField 0x54b97:$a5: set_encryptedPassword 0x86a19:$a5: set_encryptedPassword 0x5649a:$a7: get_logins 0x8831c:$a7: get_logins 0x5614b:$a8: GetOutlookPasswords 0x87fcd:$a8: GetOutlookPasswords 0x55f3d:$a9: StartKeylogger 0x87dbf:$a9: StartKeylogger 0x563ea:$a10: KeyLoggerEventArgs 0x8826c:$a10: KeyLoggerEventArgs 0x55f9a:$a11: KeyLoggerEventArgsEventHandler 0x87e1c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: mCqTwcbnfm.exe PID: 6312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 6312	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: mCqTwcbnfm.exe PID: 6312	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7196	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7196	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7196	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7196	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7196	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x654b:$a1: get_encryptedPassword 0x6864:$a2: get_encryptedUsername 0x62fa:$a3: get_timePasswordChanged 0x641b:$a4: get_passwordField 0x6561:$a5: set_encryptedPassword 0x7e64:$a7: get_logins 0x7b15:$a8: GetOutlookPasswords 0x7907:$a9: StartKeylogger 0x7db4:$a10: KeyLoggerEventArgs 0x7964:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: jFvxxbujkwUz.exe PID: 7392	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7392	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: jFvxxbujkwUz.exe PID: 7392	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x29d96:$a1: get_encryptedPassword 0x29b45:$a3: get_timePasswordChanged 0x29c66:$a4: get_passwordField 0x29dac:$a5: set_encryptedPassword 0x4a781:$a7: get_logins 0x4a432:$a8: GetOutlookPasswords 0x4a224:$a9: StartKeylogger 0x4a6d1:$a10: KeyLoggerEventArgs 0x4a281:$a11: KeyLoggerEventArgsEventHandler
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.mCqTwcbnfm.exe.37ca528.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.mCqTwcbnfm.exe.37ca528.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
0.2.mCqTwcbnfm.exe.4254eb0.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.mCqTwcbnfm.exe.4254eb0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
6.2.mCqTwcbnfm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.mCqTwcbnfm.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
6.2.mCqTwcbnfm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.mCqTwcbnfm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2adcb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a2c9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x2a5d7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data 0x2b3cf:$a5: \Kometa\User Data\Default\Login Data
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\mCqTwcbnfm.exe", ParentImage: C:\Users\user\Desktop\mCqTwcbnfm.exe, ParentProcessId: 4160, ParentProcessName: mCqTwcbnfm.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe", ProcessId: 2648, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe, ParentImage: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe, ParentProcessId: 7196, ParentProcessName: jFvxxbujkwUz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp", ProcessId: 7332, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\mCqTwcbnfm.exe", ParentImage: C:\Users\user\Desktop\mCqTwcbnfm.exe, ParentProcessId: 4160, ParentProcessName: mCqTwcbnfm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp", ProcessId: 4732, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\mCqTwcbnfm.exe", ParentImage: C:\Users\user\Desktop\mCqTwcbnfm.exe, ParentProcessId: 4160, ParentProcessName: mCqTwcbnfm.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe", ProcessId: 2648, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7624, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\mCqTwcbnfm.exe", ParentImage: C:\Users\user\Desktop\mCqTwcbnfm.exe, ParentProcessId: 4160, ParentProcessName: mCqTwcbnfm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp", ProcessId: 4732, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:36:14.186510+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49685	158.101.44.242	80	TCP
2025-03-07T23:36:14.327249+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49686	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mCqTwcbnfm.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.fcrdm

Found malware configuration

Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Server": "fiber13.dnsiaas.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Virustotal: Detection: 79%			Perma Link

Multi AV Scanner detection for submitted file

Source: mCqTwcbnfm.exe	Virustotal: Detection: 79%			Perma Link
Source: mCqTwcbnfm.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: mCqTwcbnfm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49688 version: TLS 1.0

Source: mCqTwcbnfm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1A7D8h	6_2_02A1A3C0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1A0B1h	6_2_02A19E00
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1E640h	6_2_02A1E220
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1A7D8h	6_2_02A1A3B0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1EA98h	6_2_02A1E7F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1A7D8h	6_2_02A1A706
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1EEF0h	6_2_02A1EC48
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1F348h	6_2_02A1F0A0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1F7A0h	6_2_02A1F4F8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 02A1FBF8h	6_2_02A1F950
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 056318A0h	6_2_056315F8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05633840h	6_2_05633598
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 056326E0h	6_2_05632438
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05630740h	6_2_05630498
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 056349A0h	6_2_056346F8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 056333E8h	6_2_05633140
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_056351E8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05631448h	6_2_056311A0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 056302E8h	6_2_05630040
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then mov esp, ebp	6_2_056393F8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05634548h	6_2_056342A0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05630FF0h	6_2_05630D48
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05632F90h	6_2_05632CE8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05635EB5h	6_2_05635CD8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 0563683Fh	6_2_05635CD8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 056340F0h	6_2_05633E48
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05632152h	6_2_05631EA8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05633C98h	6_2_056339F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05630B98h	6_2_056308F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05632B38h	6_2_05632890
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05634DF8h	6_2_05634B50
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 4x nop then jmp 05631CF8h	6_2_05631A50
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 06DAEFADh	7_2_06DAF233
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 01849731h	12_2_01849480
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 01849E5Ah	12_2_01849A40
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 01849E5Ah	12_2_01849A30
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 01849E5Ah	12_2_01849D87
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 0599F2A8h	12_2_0599F000
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05995E15h	12_2_05995AD8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05998830h	12_2_05998588
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 059947C9h	12_2_05994520
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 059976D0h	12_2_05997428
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 0599F700h	12_2_0599F458
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 0599E9F8h	12_2_0599E750
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05995929h	12_2_05995680
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 059983D8h	12_2_05998130
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 0599E5A0h	12_2_0599E2F8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 059954D1h	12_2_05995228
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05995079h	12_2_05994DD0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05997F80h	12_2_05997CD8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05997278h	12_2_05996FD0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05994C21h	12_2_05994978
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 05997B28h	12_2_05997880
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 0599FB58h	12_2_0599F8B0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 4x nop then jmp 0599EE50h	12_2_0599EBA8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49686 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49685 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49688 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: mCqTwcbnfm.exe, jFvxxbujkwUz.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: mCqTwcbnfm.exe, jFvxxbujkwUz.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svchost.exe, 0000000D.00000002.2102762415.000001C03DE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.13.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: mCqTwcbnfm.exe, jFvxxbujkwUz.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.000000000341B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.000000000341B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: mCqTwcbnfm.exe, 00000000.00000002.897810995.0000000002951000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.924419840.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000D.00000003.1203740728.000001C03DCC0000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: mCqTwcbnfm.exe, jFvxxbujkwUz.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.mCqTwcbnfm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jFvxxbujkwUz.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_00AEDFC4	0_2_00AEDFC4
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06828803	0_2_06828803
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06828808	0_2_06828808
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7A658	0_2_06B7A658
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B79E48	0_2_06B79E48
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7BF78	0_2_06B7BF78
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B71A40	0_2_06B71A40
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7B058	0_2_06B7B058
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B79E38	0_2_06B79E38
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7CF80	0_2_06B7CF80
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7BF25	0_2_06B7BF25
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7CF70	0_2_06B7CF70
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B78F58	0_2_06B78F58
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7E5F0	0_2_06B7E5F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7E5E1	0_2_06B7E5E1
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7DDC2	0_2_06B7DDC2
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B71A30	0_2_06B71A30
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7E360	0_2_06B7E360
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7E352	0_2_06B7E352
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7E1F0	0_2_06B7E1F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7E1E0	0_2_06B7E1E0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA41E8	0_2_06CA41E8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA3B08	0_2_06CA3B08
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2870	0_2_06CA2870
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA46B8	0_2_06CA46B8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA46B2	0_2_06CA46B2
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA0040	0_2_06CA0040
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA0021	0_2_06CA0021
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA41D9	0_2_06CA41D9
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CAD1B0	0_2_06CAD1B0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2FAF	0_2_06CA2FAF
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2FB0	0_2_06CA2FB0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2D49	0_2_06CA2D49
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2D58	0_2_06CA2D58
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CADAE0	0_2_06CADAE0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2AF8	0_2_06CA2AF8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA3AF8	0_2_06CA3AF8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2B08	0_2_06CA2B08
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CABB08	0_2_06CABB08
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2860	0_2_06CA2860
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A19E00	6_2_02A19E00
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1E220	6_2_02A1E220
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1E7E0	6_2_02A1E7E0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1E7F0	6_2_02A1E7F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1EC39	6_2_02A1EC39
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1EC48	6_2_02A1EC48
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A12DD1	6_2_02A12DD1
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1F0A0	6_2_02A1F0A0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1F090	6_2_02A1F090
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1F4E8	6_2_02A1F4E8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1F4F8	6_2_02A1F4F8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1F941	6_2_02A1F941
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A1F950	6_2_02A1F950
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_02A19DEF	6_2_02A19DEF
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05639120	6_2_05639120
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05638038	6_2_05638038
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05637398	6_2_05637398
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05636D50	6_2_05636D50
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056379E8	6_2_056379E8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056315E8	6_2_056315E8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056315F8	6_2_056315F8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05633588	6_2_05633588
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05633598	6_2_05633598
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05632427	6_2_05632427
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05632438	6_2_05632438
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05630489	6_2_05630489
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05630498	6_2_05630498
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05638670	6_2_05638670
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056346EA	6_2_056346EA
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056346F8	6_2_056346F8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05638680	6_2_05638680
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05633140	6_2_05633140
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05633130	6_2_05633130
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05639110	6_2_05639110
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056351E8	6_2_056351E8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056351D8	6_2_056351D8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056311A0	6_2_056311A0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05631190	6_2_05631190
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05630040	6_2_05630040
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_0563802C	6_2_0563802C
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05630007	6_2_05630007
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05637388	6_2_05637388
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056342A0	6_2_056342A0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05634292	6_2_05634292
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05630D48	6_2_05630D48
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05630D38	6_2_05630D38
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05636D3F	6_2_05636D3F
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05632CE8	6_2_05632CE8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05635CC8	6_2_05635CC8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05635CD8	6_2_05635CD8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05632CD8	6_2_05632CD8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05633E48	6_2_05633E48
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05633E38	6_2_05633E38
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05631EA8	6_2_05631EA8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05631E98	6_2_05631E98
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056339E6	6_2_056339E6
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056339F0	6_2_056339F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056379D8	6_2_056379D8
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056308E0	6_2_056308E0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_056308F0	6_2_056308F0
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05632880	6_2_05632880
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05632890	6_2_05632890
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05634B40	6_2_05634B40
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05634B50	6_2_05634B50
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05631A41	6_2_05631A41
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 6_2_05631A50	6_2_05631A50
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_00D7DFC4	7_2_00D7DFC4
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DA9E48	7_2_06DA9E48
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAA668	7_2_06DAA668
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DABF78	7_2_06DABF78
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DA1A40	7_2_06DA1A40
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAB068	7_2_06DAB068
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAA658	7_2_06DAA658
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DACE50	7_2_06DACE50
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DACE40	7_2_06DACE40
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DA9E38	7_2_06DA9E38
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DA8F58	7_2_06DA8F58
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DA8F68	7_2_06DA8F68
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DABF25	7_2_06DABF25
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DADDD0	7_2_06DADDD0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DADDC2	7_2_06DADDC2
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAE5F0	7_2_06DAE5F0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAE5E1	7_2_06DAE5E1
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DA1A30	7_2_06DA1A30
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAE352	7_2_06DAE352
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAE360	7_2_06DAE360
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAB058	7_2_06DAB058
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAE1F0	7_2_06DAE1F0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DAE1E0	7_2_06DAE1E0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C3B08	7_2_0A7C3B08
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C2870	7_2_0A7C2870
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C41E8	7_2_0A7C41E8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C2AF8	7_2_0A7C2AF8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C3AF8	7_2_0A7C3AF8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7CDAE0	7_2_0A7CDAE0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7CBB08	7_2_0A7CBB08
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C2860	7_2_0A7C2860
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C2FA1	7_2_0A7C2FA1
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C2D58	7_2_0A7C2D58
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C2D49	7_2_0A7C2D49
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7CB298	7_2_0A7CB298
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C0040	7_2_0A7C0040
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C0007	7_2_0A7C0007
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C41DA	7_2_0A7C41DA
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7CD1B0	7_2_0A7CD1B0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7CB6D0	7_2_0A7CB6D0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C46B8	7_2_0A7C46B8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C46B2	7_2_0A7C46B2
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0184C530	12_2_0184C530
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_018427B9	12_2_018427B9
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_01842DD1	12_2_01842DD1
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_01849480	12_2_01849480
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0184C521	12_2_0184C521
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0184946F	12_2_0184946F
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05996138	12_2_05996138
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599F000	12_2_0599F000
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_059913A8	12_2_059913A8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599BC50	12_2_0599BC50
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599AE78	12_2_0599AE78
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_059989E0	12_2_059989E0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05990AB8	12_2_05990AB8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05995AD8	12_2_05995AD8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05998588	12_2_05998588
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599450F	12_2_0599450F
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05994520	12_2_05994520
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05998579	12_2_05998579
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05997418	12_2_05997418
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05997428	12_2_05997428
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599F458	12_2_0599F458
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599F448	12_2_0599F448
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599E750	12_2_0599E750
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599E740	12_2_0599E740
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05995680	12_2_05995680
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599566F	12_2_0599566F
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05998130	12_2_05998130
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599612A	12_2_0599612A
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05998120	12_2_05998120
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599E170	12_2_0599E170
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05990330	12_2_05990330
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05990320	12_2_05990320
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599E2F8	12_2_0599E2F8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599521A	12_2_0599521A
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05995228	12_2_05995228
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05994DD0	12_2_05994DD0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05994DC0	12_2_05994DC0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05990CD8	12_2_05990CD8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05997CD8	12_2_05997CD8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05997CC8	12_2_05997CC8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05996FD0	12_2_05996FD0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05996FC3	12_2_05996FC3
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599EFF0	12_2_0599EFF0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05994978	12_2_05994978
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05994969	12_2_05994969
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05997880	12_2_05997880
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599F8B0	12_2_0599F8B0
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599F8A1	12_2_0599F8A1
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05997871	12_2_05997871
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599EB98	12_2_0599EB98
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_0599EBA8	12_2_0599EBA8
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 12_2_05995ACA	12_2_05995ACA

Source: mCqTwcbnfm.exe

Static PE information: invalid certificate

Source: mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000003FE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe, 00000000.00000000.846366252.0000000000322000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLTZe.exe< vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe, 00000000.00000002.902472359.000000000B0B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe, 00000000.00000002.897810995.0000000002951000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe, 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe, 00000000.00000002.890885267.000000000098E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe, 00000006.00000002.2099665496.00000000009E7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs mCqTwcbnfm.exe
Source: mCqTwcbnfm.exe	Binary or memory string: OriginalFilenameLTZe.exe< vs mCqTwcbnfm.exe

Source: mCqTwcbnfm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.mCqTwcbnfm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jFvxxbujkwUz.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: mCqTwcbnfm.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jFvxxbujkwUz.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, COCqghUF3mYC8hHFOy.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/3

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

File created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Mutant created: \Sessions\1\BaseNamedObjects\oQaYnXcxsaOTWWLsfmy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC491.tmp

Jump to behavior

Source: mCqTwcbnfm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: mCqTwcbnfm.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2104010322.0000000003B7D000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002C64000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.0000000003491000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.000000000349D000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.000000000345E000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.000000000347C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: mCqTwcbnfm.exe	Virustotal: Detection: 79%
Source: mCqTwcbnfm.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

File read: C:\Users\user\Desktop\mCqTwcbnfm.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mCqTwcbnfm.exe "C:\Users\user\Desktop\mCqTwcbnfm.exe"
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Users\user\Desktop\mCqTwcbnfm.exe "C:\Users\user\Desktop\mCqTwcbnfm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Users\user\Desktop\mCqTwcbnfm.exe "C:\Users\user\Desktop\mCqTwcbnfm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: mCqTwcbnfm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: mCqTwcbnfm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, COCqghUF3mYC8hHFOy.cs	.Net Code: FMVXakSqM1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, COCqghUF3mYC8hHFOy.cs	.Net Code: FMVXakSqM1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, COCqghUF3mYC8hHFOy.cs	.Net Code: FMVXakSqM1 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_068265E0 pushfd ; retf	0_2_068265ED
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06828319 push C00504C5h; iretd	0_2_06828325
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B72721 push eax; retf	0_2_06B72733
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06B7BA10 push cs; ret	0_2_06B7BA11
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA26E3 push es; iretd	0_2_06CA26EC
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA2793 push es; iretd	0_2_06CA2798
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA24E5 push es; ret	0_2_06CA24EC
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA24F7 push es; retf	0_2_06CA2510
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Code function: 0_2_06CA45E0 push eax; ret	0_2_06CA45E1
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_00D7E958 pushfd ; retf	7_2_00D7E959
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_04F2D7A0 push eax; mov dword ptr [esp], ecx	7_2_04F2D7B4
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_04F2DE7F push eax; ret	7_2_04F2DEB3
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_06DABA10 push cs; ret	7_2_06DABA11
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Code function: 7_2_0A7C45E0 push eax; ret	7_2_0A7C45E1

Source: mCqTwcbnfm.exe	Static PE information: section name: .text entropy: 7.648915607221944
Source: jFvxxbujkwUz.exe.0.dr	Static PE information: section name: .text entropy: 7.648915607221944

Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, f6O3jWzUI3cUfPo2oX.cs	High entropy of concatenated method names: 'c0R4IgsH0l', 'NCD4nZb7ue', 'S4e4Wbtcit', 'dNK4yTwgOO', 'qDZ4GLFdIw', 'Pqq4bCjYHr', 'Y4E4AhusK5', 'lnQ4l7yISd', 'DCR4PeHjUs', 'lgw4YCH0lW'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, zAUuH8KjHPbdNZPqNL.cs	High entropy of concatenated method names: 'GI98S3rd1Q', 'oJ58cSUY9L', 'hpwphaNjd4', 'KZhpdpuaeA', 'sL48mJxS9F', 'WMh8JITrcI', 'vRN8osObD1', 'TMk8kIXQYV', 'Avr8tCfhfo', 'JZn8jBKTXD'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, jrm9ehf0SlUCqdALsI.cs	High entropy of concatenated method names: 'Dispose', 'Yh1d0U7MTY', 'cw9xGJtRHc', 'pYK47gq4QU', 'CDMdc1GlJP', 'aUQdzBaAWq', 'ProcessDialogKey', 'tBWxh6U88J', 'C7OxdEAU0u', 'JCyxxlMnlL'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, OyYO7Ty6xN9UxM1y0U.cs	High entropy of concatenated method names: 'Y63vDII620', 'AUpvfwvCFa', 't1FvqBGuOZ', 'aLQvRGQTVr', 'WZgvU6MN4p', 'EmIqOR4UMC', 'KvnqKOxeof', 'fIOqiDb4WI', 'ogGqSN1RfK', 'xBGq0KsxwP'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, nbplZOW9L9E3YRHOvs.cs	High entropy of concatenated method names: 'YWACTPtWNQ', 'uQrCITnO2r', 'cSBCnMVmB1', 'TWaCW9pjVH', 'kWQC34wbRY', 'VsbCVomPFp', 'ISLC8kmOMn', 'VmQCpO2YpD', 'ldeC67jkvi', 'dIpC43jR2o'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, Ko67nRXv2U3FRR8Wpv.cs	High entropy of concatenated method names: 'E3BdRR12Nc', 'jh2dUDMxJ9', 'U9Ld99E3YR', 'NOvdMs4ldt', 'vbld3sSmyY', 'U7TdV6xN9U', 'RHArhyvdwq3ObOMAZV', 'ArLTbbCVlnXqXhfR85', 'hvfdd8P6mH', 'Xx7dZcxkFH'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, wMnlLPcGBb0tmDBE59.cs	High entropy of concatenated method names: 'xp54COWYj4', 'Gpj4q2xPij', 'kXm4vnR31o', 'ggo4Rh1EfB', 'PgR46Fg8dD', 'NG74UlmxCW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, PU2pRBdx1B05qnB7TS8.cs	High entropy of concatenated method names: 'ToString', 'MGyLn6KtYq', 'Wx5LWE6FiQ', 'SWML2wZMOt', 'JYALy4234e', 'sSmLGaUViD', 'V33L5hUXbU', 'GqBLb4LPgR', 'HMW9SCLNRjLycL6hfph', 'vqhK3ILQexjWrKtT4f1'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, E8r0brj02KZaeWrFrb.cs	High entropy of concatenated method names: 'ToString', 'zykVmS0pse', 'iKtVGGKggM', 'gRJV5CRxcZ', 'TatVbf3RqJ', 'M1vVAZAIGs', 'Dy1Vu1YiFX', 'dCPV1AcowS', 'DVuVEuqwiB', 'FweVHIQ12F'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, xwSNbkoiTSKh9yXRLi.cs	High entropy of concatenated method names: 'IdEen63aG7', 'FR7eW1sweR', 'Fmkeyh1KZF', 'jf5eGxntIH', 'XaxebbZHnw', 'ExDeAxgjAM', 'RyPe14pPCu', 'XUXeEIadmO', 'JY0eNgBwVr', 'uTMemEH7sr'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, usKQ7sdXIQhaWdUhBTb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pJrg662A7f', 'd5Rg4x3Xqr', 'B9tgLAphE9', 'z1QggaYL0Y', 'lpXgFPKqip', 'kbsgwvjPyP', 'p1IglggGjb'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, VhFwgUHvvGxtn3YtPK.cs	High entropy of concatenated method names: 'cUPRPWDV2r', 'xOaRYq0ASb', 'HjIRaPJfn3', 'gkIRTRyRTo', 'H7aR71y9tq', 'FX0RIx8buh', 'UpGRr9Hta6', 'vU5RnW8my1', 'k6eRWB52m5', 'lAlR2fKaAZ'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, E6U88J0r7OEAU0uACy.cs	High entropy of concatenated method names: 'kuy6yFL99j', 'r0H6GxXCUb', 'qXy65bmtfB', 'su26bbNT08', 'lJk6AASkCL', 'YKB6uIH9qY', 'mnx61diy2N', 'EoO6Etw5nT', 'yBs6HIcep8', 'o7L6Nbpeak'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, kBCGHZdhu6mNnfGQyFW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LiT4mTuLhG', 'ehk4JMQDAI', 'stP4o7ujPs', 'nU24kQHk1B', 'cUA4tWKs6H', 'OPW4jg1hYL', 'KYm4QFkgtj'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	High entropy of concatenated method names: 'AxBfkeZG5I', 'bohft3iTSt', 'mQOfjQVNOG', 'vq1fQadd16', 'RCifOAJVQI', 't0qfKQsYnC', 'Ialfi9X5cl', 'f5cfSFEgME', 'bsyf0gryN8', 'DITfc8BrvV'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, QTDuqlQxx4x1BqsTfC.cs	High entropy of concatenated method names: 'nQY89lKQOQ', 'XIB8Mt2cKF', 'ToString', 'ftF8s4W4Dv', 'y4c8fgaSDw', 'toA8Ci6Suk', 'ibE8qF5DqD', 'iPl8vKMoaG', 'SvU8REurLU', 'gi28UWIYdE'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, XrU5K4ddXMOlfC6yawS.cs	High entropy of concatenated method names: 'VQI4cILgBU', 'f484zapOZy', 'zOsLhKZ6lQ', 'astLdKFlqV', 'ebpLxS7qyU', 'ShWLZtjtoM', 'hM2LXcv2E3', 'zWTLDc8I9o', 'TbOLsantd8', 'yleLfo4ghi'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, ASZrgpkdX0UPg9Gf7q.cs	High entropy of concatenated method names: 'Vca3NqF82c', 'zPf3JAGNNx', 'wJT3k6SGNK', 'v9Y3tgty12', 'iex3GsdGW4', 'BpD35HUIMg', 'ipI3bfwX3C', 'MZK3A8qEic', 'Bvi3uh0BdQ', 'sMk31gmvco'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, sldtpe2vEW3knwblsS.cs	High entropy of concatenated method names: 'A9Wq7HkaCG', 'fEfqriqHVX', 'uFDC5kAtoj', 'yFQCbUdXpF', 'Ln1CASoShF', 'zF1Cu6CPWV', 'oDvC1PcMK6', 'tKUCEaR870', 'gktCHH2b6R', 'wVcCNFJZc5'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, COCqghUF3mYC8hHFOy.cs	High entropy of concatenated method names: 'jlgZD9oOCH', 'yp8ZslEehf', 'Cb3Zfl9Mls', 'V6nZCew5sl', 'LnGZqOHZJx', 'q5iZvgQLvc', 'pSbZRm1KLY', 's2QZUeb0iZ', 'lrIZBykeEQ', 'DPfZ9MWT3v'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, DtdSj4xpgxmuYtCD3W.cs	High entropy of concatenated method names: 'fKsaMYB7r', 'A7fTMM4t8', 'kGXI9J2I4', 'FxZrnWfwM', 'EE6WfGc0I', 'qbd2Q9UuD', 'hpJPg9Sej0oiiS5Urx', 'fgwIVpJcEZUMNSASpL', 'aMrpZ3knh', 'vVs42XdVN'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, AvYBuMC83f77g90uOh.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'n0Px01YZKQ', 'WKMxc0vdEp', 'bakxzEYuIc', 'UngZhMiknV', 'TDKZdPDnhF', 'p9iZx0OUlF', 'clPZZNRXCY', 'JequLTGTWHYaKAN9PXd'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, sYQigCilq0h1U7MTYr.cs	High entropy of concatenated method names: 'u1163tNIv0', 'FwS68hSZY7', 'eKj66ZHmoR', 'eZU6Lbhas5', 'PDV6FA2BtW', 'lAb6lvEOCS', 'Dispose', 'drspsR19wm', 'x9ppftnOnY', 'fR2pCZxcnF'
Source: 0.2.mCqTwcbnfm.exe.415e308.0.raw.unpack, QIEPSM1rU8H901aMRB.cs	High entropy of concatenated method names: 'iMRRs8c2gN', 'ciIRCgCOS7', 'gZfRvNk8Cx', 'NOBvcnDCwA', 'qDjvzLG0wj', 'i2tRhv6B5d', 'xaVRdCVNAd', 'isJRxp6ayG', 'ci0RZM9X3P', 'Mk1RXbSKRS'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, f6O3jWzUI3cUfPo2oX.cs	High entropy of concatenated method names: 'c0R4IgsH0l', 'NCD4nZb7ue', 'S4e4Wbtcit', 'dNK4yTwgOO', 'qDZ4GLFdIw', 'Pqq4bCjYHr', 'Y4E4AhusK5', 'lnQ4l7yISd', 'DCR4PeHjUs', 'lgw4YCH0lW'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, zAUuH8KjHPbdNZPqNL.cs	High entropy of concatenated method names: 'GI98S3rd1Q', 'oJ58cSUY9L', 'hpwphaNjd4', 'KZhpdpuaeA', 'sL48mJxS9F', 'WMh8JITrcI', 'vRN8osObD1', 'TMk8kIXQYV', 'Avr8tCfhfo', 'JZn8jBKTXD'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, jrm9ehf0SlUCqdALsI.cs	High entropy of concatenated method names: 'Dispose', 'Yh1d0U7MTY', 'cw9xGJtRHc', 'pYK47gq4QU', 'CDMdc1GlJP', 'aUQdzBaAWq', 'ProcessDialogKey', 'tBWxh6U88J', 'C7OxdEAU0u', 'JCyxxlMnlL'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, OyYO7Ty6xN9UxM1y0U.cs	High entropy of concatenated method names: 'Y63vDII620', 'AUpvfwvCFa', 't1FvqBGuOZ', 'aLQvRGQTVr', 'WZgvU6MN4p', 'EmIqOR4UMC', 'KvnqKOxeof', 'fIOqiDb4WI', 'ogGqSN1RfK', 'xBGq0KsxwP'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, nbplZOW9L9E3YRHOvs.cs	High entropy of concatenated method names: 'YWACTPtWNQ', 'uQrCITnO2r', 'cSBCnMVmB1', 'TWaCW9pjVH', 'kWQC34wbRY', 'VsbCVomPFp', 'ISLC8kmOMn', 'VmQCpO2YpD', 'ldeC67jkvi', 'dIpC43jR2o'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, Ko67nRXv2U3FRR8Wpv.cs	High entropy of concatenated method names: 'E3BdRR12Nc', 'jh2dUDMxJ9', 'U9Ld99E3YR', 'NOvdMs4ldt', 'vbld3sSmyY', 'U7TdV6xN9U', 'RHArhyvdwq3ObOMAZV', 'ArLTbbCVlnXqXhfR85', 'hvfdd8P6mH', 'Xx7dZcxkFH'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, wMnlLPcGBb0tmDBE59.cs	High entropy of concatenated method names: 'xp54COWYj4', 'Gpj4q2xPij', 'kXm4vnR31o', 'ggo4Rh1EfB', 'PgR46Fg8dD', 'NG74UlmxCW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, PU2pRBdx1B05qnB7TS8.cs	High entropy of concatenated method names: 'ToString', 'MGyLn6KtYq', 'Wx5LWE6FiQ', 'SWML2wZMOt', 'JYALy4234e', 'sSmLGaUViD', 'V33L5hUXbU', 'GqBLb4LPgR', 'HMW9SCLNRjLycL6hfph', 'vqhK3ILQexjWrKtT4f1'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, E8r0brj02KZaeWrFrb.cs	High entropy of concatenated method names: 'ToString', 'zykVmS0pse', 'iKtVGGKggM', 'gRJV5CRxcZ', 'TatVbf3RqJ', 'M1vVAZAIGs', 'Dy1Vu1YiFX', 'dCPV1AcowS', 'DVuVEuqwiB', 'FweVHIQ12F'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, xwSNbkoiTSKh9yXRLi.cs	High entropy of concatenated method names: 'IdEen63aG7', 'FR7eW1sweR', 'Fmkeyh1KZF', 'jf5eGxntIH', 'XaxebbZHnw', 'ExDeAxgjAM', 'RyPe14pPCu', 'XUXeEIadmO', 'JY0eNgBwVr', 'uTMemEH7sr'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, usKQ7sdXIQhaWdUhBTb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pJrg662A7f', 'd5Rg4x3Xqr', 'B9tgLAphE9', 'z1QggaYL0Y', 'lpXgFPKqip', 'kbsgwvjPyP', 'p1IglggGjb'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, VhFwgUHvvGxtn3YtPK.cs	High entropy of concatenated method names: 'cUPRPWDV2r', 'xOaRYq0ASb', 'HjIRaPJfn3', 'gkIRTRyRTo', 'H7aR71y9tq', 'FX0RIx8buh', 'UpGRr9Hta6', 'vU5RnW8my1', 'k6eRWB52m5', 'lAlR2fKaAZ'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, E6U88J0r7OEAU0uACy.cs	High entropy of concatenated method names: 'kuy6yFL99j', 'r0H6GxXCUb', 'qXy65bmtfB', 'su26bbNT08', 'lJk6AASkCL', 'YKB6uIH9qY', 'mnx61diy2N', 'EoO6Etw5nT', 'yBs6HIcep8', 'o7L6Nbpeak'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, kBCGHZdhu6mNnfGQyFW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LiT4mTuLhG', 'ehk4JMQDAI', 'stP4o7ujPs', 'nU24kQHk1B', 'cUA4tWKs6H', 'OPW4jg1hYL', 'KYm4QFkgtj'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	High entropy of concatenated method names: 'AxBfkeZG5I', 'bohft3iTSt', 'mQOfjQVNOG', 'vq1fQadd16', 'RCifOAJVQI', 't0qfKQsYnC', 'Ialfi9X5cl', 'f5cfSFEgME', 'bsyf0gryN8', 'DITfc8BrvV'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, QTDuqlQxx4x1BqsTfC.cs	High entropy of concatenated method names: 'nQY89lKQOQ', 'XIB8Mt2cKF', 'ToString', 'ftF8s4W4Dv', 'y4c8fgaSDw', 'toA8Ci6Suk', 'ibE8qF5DqD', 'iPl8vKMoaG', 'SvU8REurLU', 'gi28UWIYdE'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, XrU5K4ddXMOlfC6yawS.cs	High entropy of concatenated method names: 'VQI4cILgBU', 'f484zapOZy', 'zOsLhKZ6lQ', 'astLdKFlqV', 'ebpLxS7qyU', 'ShWLZtjtoM', 'hM2LXcv2E3', 'zWTLDc8I9o', 'TbOLsantd8', 'yleLfo4ghi'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, ASZrgpkdX0UPg9Gf7q.cs	High entropy of concatenated method names: 'Vca3NqF82c', 'zPf3JAGNNx', 'wJT3k6SGNK', 'v9Y3tgty12', 'iex3GsdGW4', 'BpD35HUIMg', 'ipI3bfwX3C', 'MZK3A8qEic', 'Bvi3uh0BdQ', 'sMk31gmvco'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, sldtpe2vEW3knwblsS.cs	High entropy of concatenated method names: 'A9Wq7HkaCG', 'fEfqriqHVX', 'uFDC5kAtoj', 'yFQCbUdXpF', 'Ln1CASoShF', 'zF1Cu6CPWV', 'oDvC1PcMK6', 'tKUCEaR870', 'gktCHH2b6R', 'wVcCNFJZc5'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, COCqghUF3mYC8hHFOy.cs	High entropy of concatenated method names: 'jlgZD9oOCH', 'yp8ZslEehf', 'Cb3Zfl9Mls', 'V6nZCew5sl', 'LnGZqOHZJx', 'q5iZvgQLvc', 'pSbZRm1KLY', 's2QZUeb0iZ', 'lrIZBykeEQ', 'DPfZ9MWT3v'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, DtdSj4xpgxmuYtCD3W.cs	High entropy of concatenated method names: 'fKsaMYB7r', 'A7fTMM4t8', 'kGXI9J2I4', 'FxZrnWfwM', 'EE6WfGc0I', 'qbd2Q9UuD', 'hpJPg9Sej0oiiS5Urx', 'fgwIVpJcEZUMNSASpL', 'aMrpZ3knh', 'vVs42XdVN'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, AvYBuMC83f77g90uOh.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'n0Px01YZKQ', 'WKMxc0vdEp', 'bakxzEYuIc', 'UngZhMiknV', 'TDKZdPDnhF', 'p9iZx0OUlF', 'clPZZNRXCY', 'JequLTGTWHYaKAN9PXd'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, sYQigCilq0h1U7MTYr.cs	High entropy of concatenated method names: 'u1163tNIv0', 'FwS68hSZY7', 'eKj66ZHmoR', 'eZU6Lbhas5', 'PDV6FA2BtW', 'lAb6lvEOCS', 'Dispose', 'drspsR19wm', 'x9ppftnOnY', 'fR2pCZxcnF'
Source: 0.2.mCqTwcbnfm.exe.41b9328.3.raw.unpack, QIEPSM1rU8H901aMRB.cs	High entropy of concatenated method names: 'iMRRs8c2gN', 'ciIRCgCOS7', 'gZfRvNk8Cx', 'NOBvcnDCwA', 'qDjvzLG0wj', 'i2tRhv6B5d', 'xaVRdCVNAd', 'isJRxp6ayG', 'ci0RZM9X3P', 'Mk1RXbSKRS'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, f6O3jWzUI3cUfPo2oX.cs	High entropy of concatenated method names: 'c0R4IgsH0l', 'NCD4nZb7ue', 'S4e4Wbtcit', 'dNK4yTwgOO', 'qDZ4GLFdIw', 'Pqq4bCjYHr', 'Y4E4AhusK5', 'lnQ4l7yISd', 'DCR4PeHjUs', 'lgw4YCH0lW'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, zAUuH8KjHPbdNZPqNL.cs	High entropy of concatenated method names: 'GI98S3rd1Q', 'oJ58cSUY9L', 'hpwphaNjd4', 'KZhpdpuaeA', 'sL48mJxS9F', 'WMh8JITrcI', 'vRN8osObD1', 'TMk8kIXQYV', 'Avr8tCfhfo', 'JZn8jBKTXD'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, jrm9ehf0SlUCqdALsI.cs	High entropy of concatenated method names: 'Dispose', 'Yh1d0U7MTY', 'cw9xGJtRHc', 'pYK47gq4QU', 'CDMdc1GlJP', 'aUQdzBaAWq', 'ProcessDialogKey', 'tBWxh6U88J', 'C7OxdEAU0u', 'JCyxxlMnlL'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, OyYO7Ty6xN9UxM1y0U.cs	High entropy of concatenated method names: 'Y63vDII620', 'AUpvfwvCFa', 't1FvqBGuOZ', 'aLQvRGQTVr', 'WZgvU6MN4p', 'EmIqOR4UMC', 'KvnqKOxeof', 'fIOqiDb4WI', 'ogGqSN1RfK', 'xBGq0KsxwP'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, nbplZOW9L9E3YRHOvs.cs	High entropy of concatenated method names: 'YWACTPtWNQ', 'uQrCITnO2r', 'cSBCnMVmB1', 'TWaCW9pjVH', 'kWQC34wbRY', 'VsbCVomPFp', 'ISLC8kmOMn', 'VmQCpO2YpD', 'ldeC67jkvi', 'dIpC43jR2o'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, Ko67nRXv2U3FRR8Wpv.cs	High entropy of concatenated method names: 'E3BdRR12Nc', 'jh2dUDMxJ9', 'U9Ld99E3YR', 'NOvdMs4ldt', 'vbld3sSmyY', 'U7TdV6xN9U', 'RHArhyvdwq3ObOMAZV', 'ArLTbbCVlnXqXhfR85', 'hvfdd8P6mH', 'Xx7dZcxkFH'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, wMnlLPcGBb0tmDBE59.cs	High entropy of concatenated method names: 'xp54COWYj4', 'Gpj4q2xPij', 'kXm4vnR31o', 'ggo4Rh1EfB', 'PgR46Fg8dD', 'NG74UlmxCW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, PU2pRBdx1B05qnB7TS8.cs	High entropy of concatenated method names: 'ToString', 'MGyLn6KtYq', 'Wx5LWE6FiQ', 'SWML2wZMOt', 'JYALy4234e', 'sSmLGaUViD', 'V33L5hUXbU', 'GqBLb4LPgR', 'HMW9SCLNRjLycL6hfph', 'vqhK3ILQexjWrKtT4f1'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, E8r0brj02KZaeWrFrb.cs	High entropy of concatenated method names: 'ToString', 'zykVmS0pse', 'iKtVGGKggM', 'gRJV5CRxcZ', 'TatVbf3RqJ', 'M1vVAZAIGs', 'Dy1Vu1YiFX', 'dCPV1AcowS', 'DVuVEuqwiB', 'FweVHIQ12F'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, xwSNbkoiTSKh9yXRLi.cs	High entropy of concatenated method names: 'IdEen63aG7', 'FR7eW1sweR', 'Fmkeyh1KZF', 'jf5eGxntIH', 'XaxebbZHnw', 'ExDeAxgjAM', 'RyPe14pPCu', 'XUXeEIadmO', 'JY0eNgBwVr', 'uTMemEH7sr'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, usKQ7sdXIQhaWdUhBTb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pJrg662A7f', 'd5Rg4x3Xqr', 'B9tgLAphE9', 'z1QggaYL0Y', 'lpXgFPKqip', 'kbsgwvjPyP', 'p1IglggGjb'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, VhFwgUHvvGxtn3YtPK.cs	High entropy of concatenated method names: 'cUPRPWDV2r', 'xOaRYq0ASb', 'HjIRaPJfn3', 'gkIRTRyRTo', 'H7aR71y9tq', 'FX0RIx8buh', 'UpGRr9Hta6', 'vU5RnW8my1', 'k6eRWB52m5', 'lAlR2fKaAZ'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, E6U88J0r7OEAU0uACy.cs	High entropy of concatenated method names: 'kuy6yFL99j', 'r0H6GxXCUb', 'qXy65bmtfB', 'su26bbNT08', 'lJk6AASkCL', 'YKB6uIH9qY', 'mnx61diy2N', 'EoO6Etw5nT', 'yBs6HIcep8', 'o7L6Nbpeak'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, kBCGHZdhu6mNnfGQyFW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LiT4mTuLhG', 'ehk4JMQDAI', 'stP4o7ujPs', 'nU24kQHk1B', 'cUA4tWKs6H', 'OPW4jg1hYL', 'KYm4QFkgtj'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, lR12NcnRh2DMxJ9XrW.cs	High entropy of concatenated method names: 'AxBfkeZG5I', 'bohft3iTSt', 'mQOfjQVNOG', 'vq1fQadd16', 'RCifOAJVQI', 't0qfKQsYnC', 'Ialfi9X5cl', 'f5cfSFEgME', 'bsyf0gryN8', 'DITfc8BrvV'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, QTDuqlQxx4x1BqsTfC.cs	High entropy of concatenated method names: 'nQY89lKQOQ', 'XIB8Mt2cKF', 'ToString', 'ftF8s4W4Dv', 'y4c8fgaSDw', 'toA8Ci6Suk', 'ibE8qF5DqD', 'iPl8vKMoaG', 'SvU8REurLU', 'gi28UWIYdE'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, XrU5K4ddXMOlfC6yawS.cs	High entropy of concatenated method names: 'VQI4cILgBU', 'f484zapOZy', 'zOsLhKZ6lQ', 'astLdKFlqV', 'ebpLxS7qyU', 'ShWLZtjtoM', 'hM2LXcv2E3', 'zWTLDc8I9o', 'TbOLsantd8', 'yleLfo4ghi'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, ASZrgpkdX0UPg9Gf7q.cs	High entropy of concatenated method names: 'Vca3NqF82c', 'zPf3JAGNNx', 'wJT3k6SGNK', 'v9Y3tgty12', 'iex3GsdGW4', 'BpD35HUIMg', 'ipI3bfwX3C', 'MZK3A8qEic', 'Bvi3uh0BdQ', 'sMk31gmvco'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, sldtpe2vEW3knwblsS.cs	High entropy of concatenated method names: 'A9Wq7HkaCG', 'fEfqriqHVX', 'uFDC5kAtoj', 'yFQCbUdXpF', 'Ln1CASoShF', 'zF1Cu6CPWV', 'oDvC1PcMK6', 'tKUCEaR870', 'gktCHH2b6R', 'wVcCNFJZc5'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, COCqghUF3mYC8hHFOy.cs	High entropy of concatenated method names: 'jlgZD9oOCH', 'yp8ZslEehf', 'Cb3Zfl9Mls', 'V6nZCew5sl', 'LnGZqOHZJx', 'q5iZvgQLvc', 'pSbZRm1KLY', 's2QZUeb0iZ', 'lrIZBykeEQ', 'DPfZ9MWT3v'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, DtdSj4xpgxmuYtCD3W.cs	High entropy of concatenated method names: 'fKsaMYB7r', 'A7fTMM4t8', 'kGXI9J2I4', 'FxZrnWfwM', 'EE6WfGc0I', 'qbd2Q9UuD', 'hpJPg9Sej0oiiS5Urx', 'fgwIVpJcEZUMNSASpL', 'aMrpZ3knh', 'vVs42XdVN'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, AvYBuMC83f77g90uOh.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'n0Px01YZKQ', 'WKMxc0vdEp', 'bakxzEYuIc', 'UngZhMiknV', 'TDKZdPDnhF', 'p9iZx0OUlF', 'clPZZNRXCY', 'JequLTGTWHYaKAN9PXd'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, sYQigCilq0h1U7MTYr.cs	High entropy of concatenated method names: 'u1163tNIv0', 'FwS68hSZY7', 'eKj66ZHmoR', 'eZU6Lbhas5', 'PDV6FA2BtW', 'lAb6lvEOCS', 'Dispose', 'drspsR19wm', 'x9ppftnOnY', 'fR2pCZxcnF'
Source: 0.2.mCqTwcbnfm.exe.b0b0000.5.raw.unpack, QIEPSM1rU8H901aMRB.cs	High entropy of concatenated method names: 'iMRRs8c2gN', 'ciIRCgCOS7', 'gZfRvNk8Cx', 'NOBvcnDCwA', 'qDjvzLG0wj', 'i2tRhv6B5d', 'xaVRdCVNAd', 'isJRxp6ayG', 'ci0RZM9X3P', 'Mk1RXbSKRS'

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

File created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 8560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 9560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 9750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: A750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: B110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: C110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: D110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 8220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 9220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 9400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: A400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: AE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: BE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: CE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 1840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6453			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3052			Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe TID: 5272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe TID: 7220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7688	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mCqTwcbnfm.exe, 00000006.00000002.2099774469.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: jFvxxbujkwUz.exe, 00000007.00000002.923309331.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: jFvxxbujkwUz.exe, 00000007.00000002.923309331.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\D~
Source: jFvxxbujkwUz.exe, 00000007.00000002.923309331.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: jFvxxbujkwUz.exe, 00000007.00000002.922905958.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bfS
Source: mCqTwcbnfm.exe, 00000000.00000002.901204240.000000000694D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 0000000D.00000002.2101024972.000001C03882B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2102903319.000001C03DE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2102841128.000001C03DE40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jFvxxbujkwUz.exe, 0000000C.00000002.2100020850.0000000001606000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Code function: 12_2_05990AB8 LdrInitializeThunk,LdrInitializeThunk,

12_2_05990AB8

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Memory written: C:\Users\user\Desktop\mCqTwcbnfm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Memory written: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Process created: C:\Users\user\Desktop\mCqTwcbnfm.exe "C:\Users\user\Desktop\mCqTwcbnfm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Process created: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Users\user\Desktop\mCqTwcbnfm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Users\user\Desktop\mCqTwcbnfm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mCqTwcbnfm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2099301772.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7392, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7392, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mCqTwcbnfm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\mCqTwcbnfm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mCqTwcbnfm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102239325.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2101920585.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7392, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mCqTwcbnfm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2099301772.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7392, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7392, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mCqTwcbnfm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.37ca528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mCqTwcbnfm.exe.4254eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mCqTwcbnfm.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jFvxxbujkwUz.exe PID: 7196, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mCqTwcbnfm.exe	79%	Virustotal		Browse
mCqTwcbnfm.exe	71%	ReversingLabs	Win32.Trojan.Leonem
mCqTwcbnfm.exe	100%	Avira	TR/AD.SnakeStealer.fcrdm

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	100%	Avira	TR/AD.SnakeStealer.fcrdm
C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	71%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe	79%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://g.live.com/odclientsettings/Prod/C:	edb.log.13.dr, qmgr.db.13.dr	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.000000000341B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.000000000341B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.ver)	svchost.exe, 0000000D.00000002.2102762415.000001C03DE00000.00000004.00000020.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV2/C:	svchost.exe, 0000000D.00000003.1203740728.000001C03DCC0000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.dr	false	high
http://checkip.dyndns.org	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	mCqTwcbnfm.exe, 00000000.00000002.897810995.0000000002951000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.924419840.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.0000000003381000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	mCqTwcbnfm.exe, jFvxxbujkwUz.exe.0.dr	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	mCqTwcbnfm.exe, 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2101920585.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, mCqTwcbnfm.exe, 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, jFvxxbujkwUz.exe, 0000000C.00000002.2102239325.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632424
Start date and time:	2025-03-07 23:35:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mCqTwcbnfm.exe renamed because original name is a hash value
Original Sample Name:	270d25fa4c48a659c108da5452b8b90ea07f0473ee4dcaeb66889eb0e2443c99.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 299 Number of non-executed functions: 57
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:36:07	API Interceptor	1x Sleep call for process: mCqTwcbnfm.exe modified
17:36:09	API Interceptor	13x Sleep call for process: powershell.exe modified
17:36:10	API Interceptor	1x Sleep call for process: jFvxxbujkwUz.exe modified
17:36:42	API Interceptor	2x Sleep call for process: svchost.exe modified
23:36:09	Task Scheduler	Run new task: jFvxxbujkwUz path: C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico
	Order confirmation.exe	Get hash	malicious	FormBook	Browse	www.englishmaterials.net/3nop/?-Z=cjlpd&Vz=5VQMUr9vdJst/aGqnmtehORilpahgrSgoeoRp4hSLdasMjOC27ijg2BR7Ep4jmwJ4Zkm
	Bank Transfer Accounting Copy.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.fz977.xyz/48bq/
158.101.44.242	sWr3wJ0SuB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	26YzPy68Rz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	YGIVlkbMy7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	TMRASkMVAy.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	AQIu7JYa5r.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	DbAAqJQFmx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	XFo9jVGyLQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	44zFWmsOGn.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	UqdykLLTA2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	GBYfjUz4a5.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	sWr3wJ0SuB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	OtldpQxzAw.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	BtCQu5APhK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
reallyfreegeoip.org	DbAAqJQFmx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	XFo9jVGyLQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	44zFWmsOGn.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	UqdykLLTA2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	GBYfjUz4a5.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	sWr3wJ0SuB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	OtldpQxzAw.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	BtCQu5APhK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	n8l3NmC5EH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	DbAAqJQFmx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Dear david@corerecon.com - Your Stay Has Been Successfully Booked Ocean Breeze Retreat.msg	Get hash	malicious	ScreenConnect Tool	Browse	1.1.1.1
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	Dropper.exe	Get hash	malicious	AsyncRAT, Trap Stealer, XWorm	Browse	162.159.135.232
	XFo9jVGyLQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	44zFWmsOGn.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	6KzB3ReZ6z.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	UqdykLLTA2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	3JZ4CUFqSs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
ORACLE-BMC-31898US	n8l3NmC5EH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	44zFWmsOGn.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	UqdykLLTA2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sWr3wJ0SuB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	OtldpQxzAw.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	BtCQu5APhK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	iFoDComHqT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	n8l3NmC5EH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	DbAAqJQFmx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	XFo9jVGyLQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	44zFWmsOGn.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	UqdykLLTA2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	GBYfjUz4a5.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	sWr3wJ0SuB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	OtldpQxzAw.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	BtCQu5APhK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8021865918672969
Encrypted:	false
SSDEEP:	1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAA:RJE+Lfki1GjHwU/+vVhWqpR
MD5:	550F42439A4971CCD205E538FA773BA1
SHA1:	31D4BF877BE6CA312938761D3C7D19B49A08420E
SHA-256:	4FAA952A77B6EC91E6045001841E6CE5DCDFD6B7056A4F526ED686C8FFE2AF39
SHA-512:	36D7A277BD8E5938E14054491814B1F00CC4B143746E03BE615359E540C0167CEE7F4789A726C489156559BA2076943C256B1AEC9A8B874BBE89103613915E29
Malicious:	false
Reputation:	low
Preview:	..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf334229a, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.9432997570139271
Encrypted:	false
SSDEEP:	1536:bSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:bazaHvxXy2V2UR
MD5:	5E9A79EFAB5BBF689D1DAB2B7EB9071D
SHA1:	1EF411DC0E6F42CEC49E55B6DB8E26AE4E6DA923
SHA-256:	F862E3AE9E48E7A2FB4BA6F208E29D27FACBCF54F154970BC70F56C6AC7A53DF
SHA-512:	9AE5D39E162CD9B4AF1F55047C000B1A5A479FF3FF196AD0294B911F1E4911131E35BE04699CF663A1282A0DEC8E369A574953F2B11E4E1C84F2CD54D790287E
Malicious:	false
Reputation:	low
Preview:	.4".... ...............X\...;...{......................0.x...... ...{s.$...}..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{.....................................$...}..................z0.$...}...........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08024167025991015
Encrypted:	false
SSDEEP:	3:ZGtlKYe4FiYgvll/nqlFcl1ZUllll8Mi5llGBnX/l/Tj/k7/t:UKzyTqll/qlFclQ/lGME254
MD5:	BEA07C81F23E261173D8D2FFA02FA9CB
SHA1:	E6CED7F99A31893486F4B010BAED32CE6AA78D6B
SHA-256:	C60EB9DF883B5B3F5594B00AB7CC35373FFE93646C439A1934BB77E1E45DB7A9
SHA-512:	DBC8304A4F304048278084249DF248D4FE4A76B1CDAA15AC6DEECEA72C1200A61C163F3C17304D07A6CA9FEA75091146A368E01FC904589CAEF4B7D7CC01809E
Malicious:	false
Preview:	.c.......................................;...{..$...}... ...{s.......... ...{s.. ...{s.P.... ...{s.................z0.$...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jFvxxbujkwUz.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mCqTwcbnfm.exe.log

Download File

Process:	C:\Users\user\Desktop\mCqTwcbnfm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:fLHxvIIwLgZ2KRHWLOug8s
MD5:	1A71ECE43593D19630F97D4040AEED41
SHA1:	62DF351226E518ECF6019D8CCA3356A8073551A3
SHA-256:	38F4816F96E7B0F23EF75A046B2F69A293D52C00328E1FE5D354650D647B06B0
SHA-512:	B82C360A7894B8837433F4F69EF6DEF4F6D98D7333873AD383A39462311FF3C56F43035EE6E45160518D36B2CBDC17D9396D557B78AFAF1DAFF3A1AA52BC982E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijnrdsum.mx1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjhcen2u.1y0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovuxusyu.3sk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qef4ihgr.ipn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC491.tmp

Download File

Process:	C:\Users\user\Desktop\mCqTwcbnfm.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.123175504029269
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	C42357246F82E56CC47FADB8546C0130
SHA1:	CC75DF03CE915EA01E82311CC2B5E43369231269
SHA-256:	0F5AABE913CE8A8947C9F553A33DB430F4AABA93F7744DEE3C967C78204380E5
SHA-512:	94AAAF31EB4CB39BD8701A509BD9F0F9E900A8C8B3917A5D604E8D40510F52049F5074384373FD9F8E3F6760210998A16F58B037DBF293D8FB55CDD0D9198C07
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.123175504029269
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	C42357246F82E56CC47FADB8546C0130
SHA1:	CC75DF03CE915EA01E82311CC2B5E43369231269
SHA-256:	0F5AABE913CE8A8947C9F553A33DB430F4AABA93F7744DEE3C967C78204380E5
SHA-512:	94AAAF31EB4CB39BD8701A509BD9F0F9E900A8C8B3917A5D604E8D40510F52049F5074384373FD9F8E3F6760210998A16F58B037DBF293D8FB55CDD0D9198C07
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Download File

Process:	C:\Users\user\Desktop\mCqTwcbnfm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	592904
Entropy (8bit):	7.651978283843906
Encrypted:	false
SSDEEP:	12288:yCIAbZWUBjJRiEQlmdUpWMgmeFcF247lqkR:yqbYUx8VeFcjn
MD5:	00E8957D98A3A103E315A16751BBAB0F
SHA1:	EDC58A709F451F598E2189BAA579E40B02437C12
SHA-256:	270D25FA4C48A659C108DA5452B8B90EA07F0473EE4DCAEB66889EB0E2443C99
SHA-512:	5318CDD8D56ABB4DE738CA05260C0DC9B685FB408DF02E7B780B151BA34E5DEC31F132EA6CDDBE651D556C7DDA61F5D8B61881E87BE409D4C247B375C795EDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 79%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.g..............0................. ........@.. ....................... ............@.....................................O.......d................6........................................................... ............... ..H............text...@.... ...................... ..`.rsrc...d...........................@..@.reloc..............................@..B........................H........D..x:......9........V...........................................0.............<...%.r...p.%.r...p..r...p......(.....r...p.......,'............,.rc..p.+..r...p(....&......o.......r...p......%....o.....%...?....%...%...(........o..........(........r,..p...@...(........+.......0..R.............,..#......Y@X....,..#......V@X.+......,..#......I@X..#.......?Z...X....+...".(.......0............{.....+..*.0..>.........{.....i........+.....{......o........X...{.....i....-.

C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\mCqTwcbnfm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.651978283843906
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mCqTwcbnfm.exe
File size:	592'904 bytes
MD5:	00e8957d98a3a103e315a16751bbab0f
SHA1:	edc58a709f451f598e2189baa579e40b02437c12
SHA256:	270d25fa4c48a659c108da5452b8b90ea07f0473ee4dcaeb66889eb0e2443c99
SHA512:	5318cdd8d56abb4de738ca05260c0dc9b685fb408df02e7b780b151ba34e5dec31f132ea6cddbe651d556c7dda61f5d8b61881e87be409d4c247b375c795ede3
SSDEEP:	12288:yCIAbZWUBjJRiEQlmdUpWMgmeFcF247lqkR:yqbYUx8VeFcjn
TLSH:	EBC4D0C43B39F706DDA95A309A35DDB557A81DACB100B5E26EDD3B4BB8EC201A90CF05
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.g..............0.............*.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	bfdbd0a493925a25

Static PE Info

General

Entrypoint:	0x48d62a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67A96F7F [Mon Feb 10 03:16:15 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d5d8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x1864	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8d600	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8b640	0x8b800	f58987b7e70ed1b36d31f5e73a490f1d	False	0.8815734206989247	data	7.648915607221944	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x1864	0x1a00	fc91efa231994539f4364a6a5a3c5983	False	0.8150540865384616	data	7.201930819355957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	3b34e185baa0de308ce23b0adaab545b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8e0c8	0x1468	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9529096477794793
RT_GROUP_ICON	0x8f540	0x14	data	1.05
RT_VERSION	0x8f564	0x2fc	data	0.43848167539267013

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	MultipleForms
FileVersion	3.0.0.0
InternalName	LTZe.exe
LegalCopyright
LegalTrademarks
OriginalFilename	LTZe.exe
ProductName	MultipleForms
ProductVersion	3.0.0.0
Assembly Version	4.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T23:36:14.186510+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49685	158.101.44.242	80	TCP
2025-03-07T23:36:14.327249+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49686	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 23:36:10.397908926 CET	49685	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:10.403393984 CET	80	49685	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:10.403492928 CET	49685	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:10.403753996 CET	49685	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:10.408768892 CET	80	49685	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:13.493104935 CET	49686	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:13.498218060 CET	80	49686	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:13.498442888 CET	49686	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:13.498743057 CET	49686	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:13.503726959 CET	80	49686	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:13.966069937 CET	80	49685	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:13.979259014 CET	49685	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:13.984266996 CET	80	49685	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:14.113086939 CET	80	49686	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:14.117109060 CET	49686	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:14.122159958 CET	80	49686	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:14.134568930 CET	80	49685	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:14.144678116 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:14.144712925 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:14.145004034 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:14.153374910 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:14.153393984 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:14.186510086 CET	49685	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:14.284420013 CET	80	49686	158.101.44.242	192.168.2.8
Mar 7, 2025 23:36:14.286353111 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:14.286390066 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:14.286659002 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:14.290924072 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:14.290937901 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:14.327249050 CET	49686	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:36:16.141982079 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.142148018 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.147147894 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.147160053 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.147612095 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.148627043 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.148724079 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.151700974 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.151720047 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.152602911 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.201888084 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.202153921 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.243740082 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.248322010 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.288331985 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.602257013 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.602469921 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.602674007 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.608428001 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.608480930 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 23:36:16.608570099 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.609677076 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:36:16.616951942 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 23:37:19.134994984 CET	80	49685	158.101.44.242	192.168.2.8
Mar 7, 2025 23:37:19.135124922 CET	49685	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:37:19.284167051 CET	80	49686	158.101.44.242	192.168.2.8
Mar 7, 2025 23:37:19.284276962 CET	49686	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:37:54.140656948 CET	49685	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:37:54.145836115 CET	80	49685	158.101.44.242	192.168.2.8
Mar 7, 2025 23:37:54.297044992 CET	49686	80	192.168.2.8	158.101.44.242
Mar 7, 2025 23:37:54.302697897 CET	80	49686	158.101.44.242	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 23:36:10.376914978 CET	58834	53	192.168.2.8	1.1.1.1
Mar 7, 2025 23:36:10.384347916 CET	53	58834	1.1.1.1	192.168.2.8
Mar 7, 2025 23:36:14.136490107 CET	62284	53	192.168.2.8	1.1.1.1
Mar 7, 2025 23:36:14.143785000 CET	53	62284	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 23:36:10.376914978 CET	192.168.2.8	1.1.1.1	0xab73	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.136490107 CET	192.168.2.8	1.1.1.1	0x9320	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 23:36:10.384347916 CET	1.1.1.1	192.168.2.8	0xab73	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 23:36:10.384347916 CET	1.1.1.1	192.168.2.8	0xab73	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:10.384347916 CET	1.1.1.1	192.168.2.8	0xab73	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:10.384347916 CET	1.1.1.1	192.168.2.8	0xab73	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:10.384347916 CET	1.1.1.1	192.168.2.8	0xab73	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:10.384347916 CET	1.1.1.1	192.168.2.8	0xab73	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.143785000 CET	1.1.1.1	192.168.2.8	0x9320	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.143785000 CET	1.1.1.1	192.168.2.8	0x9320	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.143785000 CET	1.1.1.1	192.168.2.8	0x9320	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.143785000 CET	1.1.1.1	192.168.2.8	0x9320	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.143785000 CET	1.1.1.1	192.168.2.8	0x9320	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.143785000 CET	1.1.1.1	192.168.2.8	0x9320	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:36:14.143785000 CET	1.1.1.1	192.168.2.8	0x9320	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49685	158.101.44.242	80	6312	C:\Users\user\Desktop\mCqTwcbnfm.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 23:36:10.403753996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 23:36:13.966069937 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Fri, 07 Mar 2025 22:36:13 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 2405a69ca2f75c3babfd356fd6bec81d Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Mar 7, 2025 23:36:13.979259014 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 23:36:14.134568930 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:36:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c2d1407fd4071b05987e6053165295c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49686	158.101.44.242	80	7392	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 23:36:13.498743057 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 23:36:14.113086939 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:36:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 252dc53128528e67d2482d0f095e85bc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 23:36:14.117109060 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 23:36:14.284420013 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:36:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 12f17e8b337d5298e31549190c642a25 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49687	104.21.16.1	443	6312	C:\Users\user\Desktop\mCqTwcbnfm.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:36:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 22:36:16 UTC	856	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:36:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 29532 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 07 Mar 2025 14:24:03 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cD7BsTUJlYKQiO3aKSuEuLUdfsMK2KsUIjvz4wyy%2BaYVmsILl7ej%2BFUkXQ2kJey0NbVHXWMTn%2BVtWTweuEvPsbDX%2FYvw3XftmNcMSJgVdZYm1rGsVQprpv1t7KCj7vVxlxhzO2b7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd921a6fcac5c2-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23114&min_rtt=19607&rtt_var=7793&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=131576&cwnd=90&unsent_bytes=0&cid=b14b77c73cbf9c4a&ts=613&x=0"
2025-03-07 22:36:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49688	104.21.16.1	443	7392	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:36:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 22:36:16 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:36:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 29532 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 07 Mar 2025 14:24:03 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cys2nCF5HYxCuAUTP4INlpJDdDr3FhZVV6UU%2BklTpGmOC9YPalJk4YblbU4FYTCq4I6DSs8NghcXeEk5bqE02B7rbFua1cgJ2BseLbW7xJ2%2BgUSL5x5UdjuB27GTtW63qnel%2BpmN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd921a99f7a504-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22761&min_rtt=22494&rtt_var=8970&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=117551&cwnd=121&unsent_bytes=0&cid=cab8de760b28beb1&ts=600&x=0"
2025-03-07 22:36:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	17:36:06
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\mCqTwcbnfm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mCqTwcbnfm.exe"
Imagebase:	0x320000
File size:	592'904 bytes
MD5 hash:	00E8957D98A3A103E315A16751BBAB0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.898879333.0000000004254000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.898879333.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:36:07
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"
Imagebase:	0x190000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:36:07
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:36:07
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpC491.tmp"
Imagebase:	0x210000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:36:07
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:36:08
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\mCqTwcbnfm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mCqTwcbnfm.exe"
Imagebase:	0x7c0000
File size:	592'904 bytes
MD5 hash:	00E8957D98A3A103E315A16751BBAB0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2101920585.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2099288656.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	17:36:09
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe
Imagebase:	0x550000
File size:	592'904 bytes
MD5 hash:	00E8957D98A3A103E315A16751BBAB0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.927150288.00000000044C6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 71%, ReversingLabs Detection: 79%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:36:10
Start date:	07/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff726800000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:36:11
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvxxbujkwUz" /XML "C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp"
Imagebase:	0x210000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:36:11
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:36:11
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"
Imagebase:	0x270000
File size:	592'904 bytes
MD5 hash:	00E8957D98A3A103E315A16751BBAB0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:36:11
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\jFvxxbujkwUz.exe"
Imagebase:	0xf70000
File size:	592'904 bytes
MD5 hash:	00E8957D98A3A103E315A16751BBAB0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 0000000C.00000002.2099301772.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2102239325.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	17:36:41
Start date:	07/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff66acf0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mCqTwcbnfm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jFvxxbujkwUz.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mCqTwcbnfm.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijnrdsum.mx1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjhcen2u.1y0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovuxusyu.3sk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qef4ihgr.ipn.ps1

C:\Users\user\AppData\Local\Temp\tmpC491.tmp

Windows Analysis Report
mCqTwcbnfm.exe